Avahi Recursive CNAME Handling Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Avahi versions through 0.9rc2. The issue arises in avahi-daemon, which can be crashed by sending an unsolicited mDNS response containing a recursive CNAME record that points to the same domain. This creates unbounded recursion in the 'lookup_handle_cname' function, causing a segmentation fault and stack exhaustion. The vulnerability specifically impacts record browsers that have 'AVAHI_LOOKUP_USE_MULTICAST' enabled, including those created by resolvers used with nss-mdns.

Impact

Exploitation of this vulnerability causes a segmentation fault in avahi-daemon, leading to a crash of the service.

Reproduction

The vulnerability can be reproduced by sending an unsolicited mDNS response with a recursive CNAME record to an Avahi record browser that has 'AVAHI_LOOKUP_USE_MULTICAST' enabled. This can be done using a patch that adds a CNAME record to an entry group, followed by a lookup that triggers the vulnerable handling of CNAME records. The avahi-daemon will crash with a segmentation fault, indicating the successful exploitation of the vulnerability.

Remediation

Users can update to Avahi version 0.9 or later, where this vulnerability has been fixed.