MDNS的漏洞报告——mdns的最大问题是允许广域网的mdns单播查询,这会暴露设备信息,或者被利用用于dns放大攻击-阿里云开发者社区

开发者社区> 人工智能> 正文
登录阅读全文

MDNS的漏洞报告——mdns的最大问题是允许广域网的mdns单播查询,这会暴露设备信息,或者被利用用于dns放大攻击

简介:

Vulnerability Note VU#550620

Multicast DNS (mDNS) implementations may respond to unicast queries originating outside the local link

Original Release date: 31 三月 2015 | Last revised: 15 五月 2015

转自:http://www.kb.cert.org/vuls/id/550620

文中说得很明白,mdns的最大问题是允许广域网的mdns单播查询,这会暴露设备信息,或者被利用用于dns放大攻击。

解决方法:(1)考虑在WAN处屏蔽MDNS UDP端口5353的流量进入或离开,就是说不允许5353的mdns流量流入广域网。(2)禁用mDNS服务

 

 

Print Document

Overview

Multicast DNS implementations may respond to unicast queries that originate from sources outside of the local link network. Such responses may disclose information about network devices or be used in denial-of-service (DoS) amplification attacks.

Description

Multicast DNS (mDNS) is a way for devices on a local link network to automatically discover other services and devices. In some implementations of mDNS, the mDNS server replies to unicast queries from outside the link local network (e.g., the WAN). This mDNS response may result in information disclosure of devices on the network. Furthermore, the information returned in the response is greater in size than the query and may be used for denial-of-service (DoS) amplification.

RFC 6762 Section 5.5 states the following:

"In specialized applications there may be rare situations where it
  makes sense for a Multicast DNS querier to send its query via unicast
  to a specific machine.  When a Multicast DNS responder receives a
  query via direct unicast, it SHOULD respond as it would for "QU"
  questions, as described above in Section 5.4.  Since it is possible
  for a unicast query to be received from a machine outside the local
  link, responders SHOULD check that the source address in the query
  packet matches the local subnet for that link (or, in the case of
  IPv6, the source address has an on-link prefix) and silently ignore
  the packet if not.


   There may be specialized situations, outside the scope of this
  document, where it is intended and desirable to create a responder
  that does answer queries originating outside the local link.
"

While unicast queries originating from outside the local link are not specifically disallowed, RFC 6762 recommends to ignore any such packets. Some implementations of mDNS do however respond to unicast queries originating outside the local link, possibly for specialized use cases beyond the scope of RFC 6762. 

In these circumstances, the mDNS response to a query from outside the local link allows for information disclosure about devices on the network, such as model number and operating system.

Additionally, the mDNS response to a query from outside the local link may be used for denial of service amplification attacks, due to the larger response size compared to the query size.

More information can be found in security researcher's blog.

Impact

An mDNS response to a unicast query originating outside of the local link network may result in information disclosure, such as disclosing the device type/model that responds to the request or the operating system running such software. The mDNS response may also be used to amplify denial of service attacks against other networks.

Solution

Block inbound and outbound mDNS on the WAN

If such mDNS behavior is not a requirement for your organization, consider blocking the mDNS UDP port 5353 from entering or leaving your local link network.

Disable mDNS services

Some software and devices may allow disabling of the mDNS services. Please consult with the vendor of your product.

Vendor Information (Learn More)

Despite attempts to analyze scan results, it is not entirely clear exactly which software responds to mDNS queries. Vendors have been alerted, but currently only a small number of devices have been confirmed to respond to unicast queries from the WAN. In Linux, the Avahi software is also known to allow unicast queries.

Listed below are vendors that are affected, in the sense that their software or devices by default can respond to unicast queries from outside the link local network. While this technically follows established RFCs and is not a vulnerability in the normal sense, for reasons outlined above this may be unwanted behavior. If you are aware of a software or device that responds to mDNS unicast queries from outside the local link, please contact us.

Vendor Status Date Notified Date Updated
Avahi mDNS Affected - 31 Mar 2015
Canon Affected 10 Feb 2015 08 Apr 2015
Hewlett-Packard Company Affected 10 Feb 2015 20 Mar 2015
IBM Corporation Affected 10 Feb 2015 31 Mar 2015
Synology Affected 10 Feb 2015 31 Mar 2015
Cisco Systems, Inc. Not Affected 10 Feb 2015 31 Mar 2015
Citrix Not Affected 10 Feb 2015 25 Mar 2015
D-Link Systems, Inc. Not Affected 10 Feb 2015 20 Mar 2015
F5 Networks, Inc. Not Affected 10 Feb 2015 31 Mar 2015
Microsoft Corporation Not Affected 10 Feb 2015 09 Mar 2015
Ricoh Company Ltd. Not Affected 10 Feb 2015 15 May 2015
Apple Unknown 10 Feb 2015 10 Feb 2015
CentOS Unknown 10 Feb 2015 10 Feb 2015
Debian GNU/Linux Unknown 10 Feb 2015 10 Feb 2015
Dell Computer Corporation, Inc. Unknown 10 Feb 2015 10 Feb 2015
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P
Temporal 5.2 E:POC/RL:W/RC:UR
Environmental 3.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References



















本文转自张昺华-sky博客园博客,原文链接:http://www.cnblogs.com/bonelee/p/7567934.html,如需转载请自行联系原作者





版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

分享:
人工智能
使用钉钉扫一扫加入圈子
+ 订阅

了解行业+人工智能最先进的技术和实践,参与行业+人工智能实践项目

其他文章
最新文章
相关文章