Avahi CNAME Resource Record Handling Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Avahi versions through 0.9-rc2. The issue arises in avahi-daemon, which can be crashed by sending two unsolicited mDNS announcements containing CNAME resource records, with a two-second interval between them. This exploitation takes advantage of a flaw in how CNAME records are processed, particularly when a lookup is already in progress, causing the daemon to terminate unexpectedly.

Impact

Exploitation of this vulnerability causes avahi-daemon to crash, terminating the process and disrupting any active service discovery operations.

Reproduction

The vulnerability can be reproduced by sending two unsolicited mDNS responses with CNAME records, two seconds apart, to a machine running avahi-daemon. This can be done using a network interface that supports multicast, such as with the Python library Scapy. The first response should include a CNAME record with a non-zero TTL, and the second response should have a TTL of zero. This sequence can be automated with a script that sends the packets at the appropriate intervals.

Remediation

Users can update to Avahi version 0.9-rc3 or later, where this vulnerability has been fixed.