{"vuid":"VU#550620","idnumber":"550620","name":"Multicast DNS (mDNS) implementations may respond to unicast queries originating outside the local link","keywords":["mDNS"],"overview":"Multicast DNS implementations may respond to unicast queries that originate from sources outside of the local link network. Such responses may disclose information about network devices or be used in denial-of-service (DoS) amplification attacks.","clean_desc":"Multicast DNS (mDNS) is a way for devices on a local link network to automatically discover other services and devices. In some implementations of mDNS, the mDNS server replies to unicast queries from outside the link local network (e.g., the WAN). This mDNS response may result in information disclosure of devices on the network. Furthermore, the information returned in the response is greater in size than the query and may be used for denial-of-service (DoS) amplification. RFC 6762 Section 5.5 states the following: \"In specialized applications there may be rare situations where it\n   makes sense for a Multicast DNS querier to send its query via unicast\n   to a specific machine. When a Multicast DNS responder receives a\n   query via direct unicast, it SHOULD respond as it would for \"QU\"\n   questions, as described above in Section 5.4. Since it is possible\n   for a unicast query to be received from a machine outside the local\n   link, responders SHOULD check that the source address in the query\n   packet matches the local subnet for that link (or, in the case of\n   IPv6, the source address has an on-link prefix) and silently ignore\n   the packet if not. There may be specialized situations, outside the scope of this\n   document, where it is intended and desirable to create a responder\n   that does answer queries originating outside the local link.\" While unicast queries originating from outside the local link are not specifically disallowed, RFC 6762 recommends to ignore any such packets. Some implementations of mDNS do however respond to unicast queries originating outside the local link, possibly for specialized use cases beyond the scope of RFC 6762. In these circumstances, the mDNS response to a query from outside the local link allows for information disclosure about devices on the network, such as model number and operating system. Additionally, the mDNS response to a query from outside the local link may be used for denial of service amplification attacks, due to the larger response size compared to the query size. More information can be found in security researcher's blog.","impact":"An mDNS response to a unicast query originating outside of the local link network may result in information disclosure, such as disclosing the device type/model that responds to the request or the operating system running such software. The mDNS response may also be used to amplify denial of service attacks against other networks.","resolution":"Block inbound and outbound mDNS on the WAN If such mDNS behavior is not a requirement for your organization, consider blocking the mDNS UDP port 5353 from entering or leaving your local link network.","workarounds":"Disable mDNS services Some software and devices may allow disabling of the mDNS services. Please consult with the vendor of your product.","sysaffected":"Despite attempts to analyze scan results, it is not entirel","thanks":"Thanks to Chad Seaman for reporting this vulnerability and assisting in coordination with vendors.","author":"This document was written by Garret Wassermann.","public":["http://www.ietf.org/rfc/rfc6762.txt","https://github.com/chadillac/mdns_recon"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2015-01-08T13:18:04Z","publicdate":"2015-03-31T00:00:00Z","datefirstpublished":"2015-03-31T17:32:38Z","dateupdated":"2015-05-15T19:59:20Z","revision":76,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"N","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"UR","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6.4","cvss_basevector":"AV:N/AC:L/Au:N/C:P/I:N/A:P","cvss_temporalscore":"5.2","cvss_environmentalscore":"3.91276227899812","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}