Avahi IPv6 Off-link Unicast mDNS Interaction

Advisory Number: 201701

Assigned CVE: CVE-2017-6519

Affected software / systems: Avahi daemon. Avahi daemon used in various popular Linux OS (and other open source Operating Systems). Vulnerability has been confirmed in latest (as of Feb 22, 2017) Centos 6, Centos 7, Fedora 25, Ubuntu 15.04.

Attack type: Remote

Impact:
- DDoS amplification attacks and other remote DoS attacks.
- Information disclosure

Description: Avahi through 0.6.32 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets.
According to IETF RFC 6762 section 5.5, "Since it is possible for a unicast query to be received from a machine outside the local link, responders SHOULD check that the source address in the query packet matches the local subnet for that link (or, in the case of IPv6, the source address has an on-link prefix) and silently ignore the packet if not."

Reference: A. Atlasis, “An Attack-in-Depth Analysis of multicast DNS and DNS Service Discovery, Hack In the Box, Amsterdam, 14th April 2017.

Similar Vulnerabilities:
- CERT-VN:VU#550620
- CVE-2015-2809
- CVE-2017-6520

Mitigation: Block at the perimeter UDP port 5353 both for incoming and outgoing connections.

Note: RedHat developers do not consider it a bug (see https://bugzilla.redhat.com/show_bug.cgi?id=1426712).

Bose SoundTouch IPv4 Off-link Unicast mDNS Interaction

Advisory Number: 201702

Assigned CVE: CVE-2017-6520

Affected Systems: Bose SoundTouch 30 Series III Music System (other systems of the same vendor may also be vulnerable).

Attack type: Remote

Impact:
- DDoS amplification attacks and other remote DoS attacks.
- Information disclosure

Description: The aforementioned systems inadvertently respond to IPv4 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets.
According to IETF RFC 6762 section 5.5, "Since it is possible for a unicast query to be received from a machine outside the local link, responders SHOULD check that the source address in the query packet matches the local subnet for that link (or, in the case of IPv6, the source address has an on-link prefix) and silently ignore the packet if not."

Reference: A. Atlasis, “An Attack-in-Depth Analysis of multicast DNS and DNS Service Discovery, Hack In the Box, Amsterdam, 14th April 2017.

Similar Vulnerabilities:
- CERT-VN:VU#550620
- CVE-2015-2809
- CVE-2017-6519

Mitigation: Block at the perimeter UDP port 5353 both for incoming and outgoing connections.