Avahi Denial-of-Service Vulnerability via Wide-Area Record Browsers

A denial-of-service vulnerability has been identified in Avahi versions through 0.9-rc2. The issue arises when an unprivileged local user creates record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag enabled, using D-Bus. This can be done by directly calling the RecordBrowserNew method or by creating resolvers or browsers for hostnames, addresses, or services that automatically generate those browsers. When wide-area is disabled, this action can cause avahi-daemon to crash.

Impact

Exploitation of this vulnerability leads to a crash of the avahi-daemon process, causing a denial-of-service condition on the system.

Reproduction

To reproduce this vulnerability, first ensure that Avahi is running with the wide-area feature disabled, which is the default setting in versions prior to 0.9-rc2. Then, use D-Bus to create a record browser with the AVAHI_LOOKUP_USE_WIDE_AREA flag set. This can be done by calling the RecordBrowserNew method or by creating a resolver or browser for a hostname, address, or service that will generate a wide-area record browser internally. Once the wide-area browser is created, avahi-daemon will crash, demonstrating the denial-of-service vulnerability.

Remediation

Users can update to Avahi version 0.9 or later, where this vulnerability has been fixed.