Denial of Service vulnerability (infinite loop) while parsing malicious mDNS queries

Issue #11 new
CVE Reporting created an issue

Maliciously crafted mDNS (Multicast DNS) packet triggers infinite loop while parsing mDNS query. mDNS compressed labels points to each other and function uncompress_nlabel goes into infinite loop trying to analyze the packet with mDNS query. As a result mDNS server hangs after receiving malicious mDNS packet - sample packet attached (raw format - one version is only UDP payload part of packet and second is full UDP packet).

Vulnerable loop: mdns.c: 1st loop: lines 234-245 2nd loop: lines 252-265

Similar issue was described in the following CVE: https://www.kb.cert.org/vuls/id/23495

Proposed CVSS 3.0 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H (8.6 - High)

(tinysvcmdns is frequently used in embedded environments where infinite loop in one module affects whole system, because there is not pre-emptive OS used)

Mitigation : mDNS server should detect loops while parsing DNS compressed labels. The simplest way to detect it is to have a counter of processed labels and trigger error if the counter hits some defined value. Please take a look at patch that was produced to fix this issues in TizenRT (that uses tinysvcmdns): https://github.com/Samsung/TizenRT/pull/810/commits/2d9a3f156f1a5b551403aabef2fa9edfe1ad12bc

Packet that triggers this issue: hang_01_uncompress_nlabel.raw

Comments (0)

  1. Log in to comment