Avahi Denial-of-Service Vulnerability in Simple Protocol Server

A denial-of-service vulnerability has been identified in the Avahi service discovery system, specifically in versions through 0.9-rc2. The issue arises in the simple protocol server, which disregards the defined client limit and allows unlimited connections. This flaw enables unprivileged local users to exhaust the daemon's memory and file descriptors, causing a system-wide denial of service for mDNS and DNS-SD. The vulnerability occurs because the server accepts connections without checking against the maximum limit, leading to resource exhaustion and disrupted name resolution for .local addresses.

Impact

Exploitation of this vulnerability causes the Avahi daemon to consume excessive memory and file descriptors, leading to an unresponsive state. This disruption breaks mDNS and DNS-SD functionality, causing failures in resolving .local names and link-local addresses. The increased system load from logging connection errors further exacerbates the denial-of-service condition.

Reproduction

The vulnerability can be reproduced by flooding the Avahi daemon's UNIX socket with idle connections. This can be done using a loop that sends a large number of connection requests to the socket, effectively overwhelming the daemon and causing it to log repeated error messages about too many open files.

Remediation

While no official patch is available yet, a candidate fix has been proposed in pull request #808. In the meantime, users can apply additional access restrictions, such as SELinux policies, to prevent unwanted tools from accessing the Avahi socket, or manually change the socket's permissions after the daemon has started.