MDNS的漏洞报告——mdns的最大问题是允许广域网的mdns单播查询,这会暴露设备信息,或者被利用用于dns放大攻击
2017-09-21 12:13
721 查看
Vulnerability Note VU#550620
Multicast DNS (mDNS) implementations may respond to unicast queries originating outside the local link
Original Release date: 31 三月 2015 | Last revised: 15 五月 2015转自:http://www.kb.cert.org/vuls/id/550620
文中说得很明白,mdns的最大问题是允许广域网的mdns单播查询,这会暴露设备信息,或者被利用用于dns放大攻击。
解决方法:(1)考虑在WAN处屏蔽MDNS UDP端口5353的流量进入或离开,就是说不允许5353的mdns流量流入广域网。(2)禁用mDNS服务
Print Document
Tweet
Like Me
Share
Overview
Multicast DNS implementations may respond to unicast queries that originate from sources outside of the local link network. Such responses may disclose information about network devices or be used in denial-of-service (DoS) amplification attacks.Description
Multicast DNS (mDNS) is a way for devices on a local link network to automatically discover other services and devices. In some implementations of mDNS, the mDNS server replies to unicast queries from outside the link local network (e.g., the WAN). This mDNS response may result in information disclosure of devices on the network. Furthermore, the information returned in the response is greater in size than the query and may be used for denial-of-service (DoS) amplification. RFC 6762 Section 5.5 states the following: "In specialized applications there may be rare situations where it makes sense for a Multicast DNS querier to send its query via unicast to a specific machine. When a Multicast DNS responder receives a query via direct unicast, it SHOULD respond as it would for "QU" questions, as described above in Section 5.4. Since it is possible for a unicast query to be received from a machine outside the local link, responders SHOULD check that the source address in the query packet matches the local subnet for that link (or, in the case of IPv6, the source address has an on-link prefix) and silently ignore the packet if not. There may be specialized situations, outside the scope of this document, where it is intended and desirable to create a responder that does answer queries originating outside the local link." While unicast queries originating from outside the local link are not specifically disallowed, RFC 6762 recommends to ignore any such packets. Some implementations of mDNS do however respond to unicast queries originating outside the local link, possibly for specialized use cases beyond the scope of RFC 6762. In these circumstances, the mDNS response to a query from outside the local link allows for information disclosure about devices on the network, such as model number and operating system. Additionally, the mDNS response to a query from outside the local link may be used for denial of service amplification attacks, due to the larger response size compared to the query size. More information can be found in security researcher's blog. |
Impact
An mDNS response to a unicast query originating outside of the local link network may result in information disclosure, such as disclosing the device type/model that responds to the request or the operating system running such software. The mDNS response may also be used to amplify denial of service attacks against other networks. |
Solution
Block inbound and outbound mDNS on the WAN If such mDNS behavior is not a requirement for your organization, consider blocking the mDNS UDP port 5353 from entering or leaving your local link network. |
Disable mDNS services Some software and devices may allow disabling of the mDNS services. Please consult with the vendor of your product. |
Vendor Information (Learn More)
Despite attempts to analyze scan results, it is not entirely clear exactly which software responds to mDNS queries. Vendors have been alerted, but currently only a small number of devices have been confirmed to respond to unicast queries from the WAN. In Linux, the Avahi software is also known to allow unicast queries. Listed below are vendors that are affected, in the sense that their software or devices by default can respond to unicast queries from outside the link local network. While this technically follows established RFCs and is not a vulnerability in the normal sense, for reasons outlined above this may be unwanted behavior. If you are aware of a software or device that responds to mDNS unicast queries from outside the local link, please contact us. |
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Avahi mDNS | Affected | - | 31 Mar 2015 |
Canon | Affected | 10 Feb 2015 | 08 Apr 2015 |
Hewlett-Packard Company | Affected | 10 Feb 2015 | 20 Mar 2015 |
IBM Corporation | Affected | 10 Feb 2015 | 31 Mar 2015 |
Synology | Affected | 10 Feb 2015 | 31 Mar 2015 |
Cisco Systems, Inc. | Not Affected | 10 Feb 2015 | 31 Mar 2015 |
Citrix | Not Affected | 10 Feb 2015 | 25 Mar 2015 |
D-Link Systems, Inc. | Not Affected | 10 Feb 2015 | 20 Mar 2015 |
F5 Networks, Inc. | Not Affected | 10 Feb 2015 | 31 Mar 2015 |
Microsoft Corporation | Not Affected | 10 Feb 2015 | 09 Mar 2015 |
Ricoh Company Ltd. | Not Affected | 10 Feb 2015 | 15 May 2015 |
Apple | Unknown | 10 Feb 2015 | 10 Feb 2015 |
CentOS | Unknown | 10 Feb 2015 | 10 Feb 2015 |
Debian GNU/Linux | Unknown | 10 Feb 2015 | 10 Feb 2015 |
Dell Computer Corporation, Inc. | Unknown | 10 Feb 2015 | 10 Feb 2015 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 6.4 | AV:N/AC:L/Au:N/C:P/I:N/A:P |
Temporal | 5.2 | E:POC/RL:W/RC:UR |
Environmental | 3.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
http://www.ietf.org/rfc/rfc6762.txthttps://github.com/chadillac/mdns_recon
相关文章推荐
- 技术报告:APT组织Wekby利用DNS请求作为C&C设施,攻击美国秘密机构
- 利用Java漏洞窃取浏览器信息的黑洞攻击包
- MDNS DDoS 反射放大攻击——攻击者假冒被攻击者IP向网络发送DNS请求,域名为“_services._dns-sd._udp.local”,这将引起本地网络中所有提供服务的主机都向被攻击者IP发送DNS响应,列举网络中所有服务
- 利用DNS漏洞攻击的Ruby代码
- 游戏安全资讯精选 2018年第八期:3975款游戏被查处,游戏圈重击;Memcached被利用UDP反射攻击漏洞预警;VentureBeat称区块链或可定位和消除恶意可执行代码的安全问题
- DNS反射放大攻击分析——DNS反射放大攻击主要是利用DNS回复包比请求包大的特点,放大流量,伪造请求包的源IP地址为受害者IP,将应答包的流量引入受害的服务器
- 解决 ”不允许在查询中显式构造实体类型“问题及使用其他方法实现返回 List<Model对象>或者IQueryable<Model对象>对象
- 使用远程桌面的朋友可能经常会遇到“超出最大允许连接数”的问题,
- 关于Memcached被利用UDP反射攻击漏洞预警
- android 查询和修改设备信息方法
- Unity3D的SystemInfo类,获取运行设备硬件信息(CPU、显卡、类型等)可用于手机
- SSL 3.0 POODLE攻击信息泄露漏洞(CVE-2014-3566)
- ORACLE - sqlplus查询oracle数据库返回结果为“?”或者乱码问题解决
- 解决Python查询Mysql数据库信息乱码问题
- 解决Python查询Mysql数据库信息乱码问题
- 利用DNS Zone Transfers漏洞工具dnswalk
- 记录一次攻击事件(redis 未授权漏洞利用直接登录服务器) 推荐
- HP 集群软件 - 不能接收节点的设备查询信息:软件引起的连接失败
- fsck 修复ext3文件系统(用于linux系统时间不对,文件系统信息有错引起的die with exit status等的一些问题)
- 关于VS2008问题“无法找到“XXX.exe”的调试信息,或者调试信息不匹配。未使用调试信息生成二进制文件。“