MDNS的漏洞报告——mdns的最大问题是允许广域网的mdns单播查询,这会暴露设备信息,或者被利用用于dns放大攻击
Vulnerability Note VU#550620
Multicast DNS (mDNS) implementations may respond to unicast queries originating outside the local link
Original Release date: 31 三月 2015 | Last revised: 15 五月 2015
转自:http://www.kb.cert.org/vuls/id/550620
文中说得很明白,mdns的最大问题是允许广域网的mdns单播查询,这会暴露设备信息,或者被利用用于dns放大攻击。
解决方法:(1)考虑在WAN处屏蔽MDNS UDP端口5353的流量进入或离开,就是说不允许5353的mdns流量流入广域网。(2)禁用mDNS服务
Overview
Multicast DNS implementations may respond to unicast queries that originate from sources outside of the local link network. Such responses may disclose information about network devices or be used in denial-of-service (DoS) amplification attacks.
Description
|
Multicast DNS (mDNS) is a way for devices on a local link network to automatically discover other services and devices. In some implementations of mDNS, the mDNS server replies to unicast queries from outside the link local network (e.g., the WAN). This mDNS response may result in information disclosure of devices on the network. Furthermore, the information returned in the response is greater in size than the query and may be used for denial-of-service (DoS) amplification. RFC 6762 Section 5.5 states the following: "In specialized applications there may be rare situations where it While unicast queries originating from outside the local link are not specifically disallowed, RFC 6762 recommends to ignore any such packets. Some implementations of mDNS do however respond to unicast queries originating outside the local link, possibly for specialized use cases beyond the scope of RFC 6762. In these circumstances, the mDNS response to a query from outside the local link allows for information disclosure about devices on the network, such as model number and operating system. Additionally, the mDNS response to a query from outside the local link may be used for denial of service amplification attacks, due to the larger response size compared to the query size. More information can be found in security researcher's blog. |
Impact
|
An mDNS response to a unicast query originating outside of the local link network may result in information disclosure, such as disclosing the device type/model that responds to the request or the operating system running such software. The mDNS response may also be used to amplify denial of service attacks against other networks. |
Solution
|
Block inbound and outbound mDNS on the WAN If such mDNS behavior is not a requirement for your organization, consider blocking the mDNS UDP port 5353 from entering or leaving your local link network. |
|
Disable mDNS services Some software and devices may allow disabling of the mDNS services. Please consult with the vendor of your product. |
Vendor Information (Learn More)
|
Despite attempts to analyze scan results, it is not entirely clear exactly which software responds to mDNS queries. Vendors have been alerted, but currently only a small number of devices have been confirmed to respond to unicast queries from the WAN. In Linux, the Avahi software is also known to allow unicast queries. Listed below are vendors that are affected, in the sense that their software or devices by default can respond to unicast queries from outside the link local network. While this technically follows established RFCs and is not a vulnerability in the normal sense, for reasons outlined above this may be unwanted behavior. If you are aware of a software or device that responds to mDNS unicast queries from outside the local link, please contact us. |
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Avahi mDNS | Affected | - | 31 Mar 2015 |
| Canon | Affected | 10 Feb 2015 | 08 Apr 2015 |
| Hewlett-Packard Company | Affected | 10 Feb 2015 | 20 Mar 2015 |
| IBM Corporation | Affected | 10 Feb 2015 | 31 Mar 2015 |
| Synology | Affected | 10 Feb 2015 | 31 Mar 2015 |
| Cisco Systems, Inc. | Not Affected | 10 Feb 2015 | 31 Mar 2015 |
| Citrix | Not Affected | 10 Feb 2015 | 25 Mar 2015 |
| D-Link Systems, Inc. | Not Affected | 10 Feb 2015 | 20 Mar 2015 |
| F5 Networks, Inc. | Not Affected | 10 Feb 2015 | 31 Mar 2015 |
| Microsoft Corporation | Not Affected | 10 Feb 2015 | 09 Mar 2015 |
| Ricoh Company Ltd. | Not Affected | 10 Feb 2015 | 15 May 2015 |
| Apple | Unknown | 10 Feb 2015 | 10 Feb 2015 |
| CentOS | Unknown | 10 Feb 2015 | 10 Feb 2015 |
| Debian GNU/Linux | Unknown | 10 Feb 2015 | 10 Feb 2015 |
| Dell Computer Corporation, Inc. | Unknown | 10 Feb 2015 | 10 Feb 2015 |
If you are a vendor and your product is affected, let us know.View More »
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 6.4 | AV:N/AC:L/Au:N/C:P/I:N/A:P |
| Temporal | 5.2 | E:POC/RL:W/RC:UR |
| Environmental | 3.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
MDNS的漏洞报告——mdns的最大问题是允许广域网的mdns单播查询,这会暴露设备信息,或者被利用用于dns放大攻击的更多相关文章
- MDNS DDoS 反射放大攻击——攻击者假冒被攻击者IP向网络发送DNS请求,域名为“_services._dns-sd._udp.local”,这将引起本地网络中所有提供服务的主机都向被攻击者IP发送DNS响应,列举网络中所有服务
MDNS Reflection DDoS 2015年3月,有报告叙述了mDNS 成为反射式和放大式 DDoS 攻击中所用媒介的可能性,并详述了 mDNS 反射式攻击的原理和相应防御方式.Q3,Akam ...
- 【代码审计】ESPCMSP8(易思企业建站管理系统)漏洞报告
0x00简介 项目名称:ESPCMS-P8(易思企业建站管理系统) 测试平台:Windwos 版本信息:P8.19082801稳定版 更新时间:2019-08-30 00:56:32 网站官网:htt ...
- 最常见的安全漏洞– Acunetix Web应用程序漏洞报告2021
每年,Acunetix都会为您提供最常见的Web安全漏洞和网络外围漏洞的分析.我们的年度Web应用程序漏洞报告(现已成为Invicti AppSec指标的一部分)是基于从Acunetix在线获得的真实 ...
- 风炫安全web安全学习第三十三节课 文件包含漏洞基础以及利用伪协议进行攻击
风炫安全web安全学习第三十三节课 文件包含漏洞基础以及利用伪协议进行攻击 文件包含漏洞 参考文章:https://chybeta.github.io/2017/10/08/php文件包含漏洞/ 分类 ...
- 可以通过shadowserver来查看开放的mdns(用以反射放大攻击)——中国的在 https://mdns.shadowserver.org/workstation/index.html
Open mDNS Scanning Project 来自:https://mdns.shadowserver.org/ If you are looking at this page, then m ...
- 【独家】K8S漏洞报告|近期bug fix解读&1.11主要bug fix汇总
内容提要: 1. 高危漏洞CVE-2018-1002105深度解读 2. 11/19--12/11 bug fix汇总分析 3. 1.11重要bug fix解读 4. 1.9重要bug fix解读 在 ...
- 【独家】K8S漏洞报告 | 近期bug fix解读
安全漏洞CVE-2019-3874分析 Kubernetes近期重要bug fix分析 Kubernetes v1.13.5 bug fix数据分析 ——本周更新内容 安全漏洞CVE-2019-387 ...
- 【独家】K8S漏洞报告 | CVE-2019-1002101解读
kubectl cp漏洞CVE-2019-1002101分析 Kube-proxy IPVS添加flag ipvs-strict-arp 近期bug fix数据分析 ——本期更新内容 kubectl ...
- K8S漏洞报告 | 近期bug fix解读&1.13主要bug fix汇总
K8s近期漏洞详解 Kubernetes仪表盘漏洞(CVE-2018-18264) 因为这一漏洞,用户可以“跳过”登录过程获得仪表盘所使用的自定义TLS证书.如果您已将Kubernetes仪表盘配置为 ...
随机推荐
- (转)Linux内核 TCP/IP、Socket参数调优
Doc1: /proc/sys/net目录 所有的TCP/IP参数都位于/proc/sys/net目录下(请注意,对/proc/sys/net目录下内容的修改都是临时的,任何修改在系统重启后都会丢失) ...
- ASP.NET-入门
MVC5特点 1.One ASP.NET统一平台 2.Bootstrap 免费CSS,响应式页面 3.路由标记属性:简单.控制器.操作.前缀.参数.URL 4.ASP.NET web API 2 : ...
- HDU 4329 Contest 3
果然换个编译器就过了.总的来说,不难,不过就是处理一些空格.学习了一个新的类 istringstream可以按空格划分.然后,那条式子要理解. 式子的意义是: 找到一个串,该串在query中是第几个找 ...
- Android 的Recovery机制
Android 的Recovery机制 文件夹 1. 系统的启动模式 1 1.1 Android系统的启动模式 1 1.2 系统的启动模式 2 2. Recovery模式中的三个部分 3 3. Rec ...
- OSGi 和 C++
2011年 9月我参加了OSGi社区在达姆施塔特的会议,并且有机会与其他与会者探讨本机c++实现的OSGi规范的现状.在这一事件之前我也一直想写一篇博客,来描述关于当前实现OSGi规范的现状和努力—— ...
- 上传文件时文件类型限制 <input id="File1" type="file" accept=""/>
在做项目项目中经常需要上传文件,类型也就那几种.虽然在js中加了上传文件类型的限制,但是为了减少因为用户选择不当而造成的反复检验.可以在input标签上加上accept属性.这种限制只是优化了选择文件 ...
- Kali linux 2016.2(Rolling)中的payloads模块详解
不多说,直接上干货! 前期博客 Kali linux 2016.2(Rolling)中的Exploits模块详解 payloads模块,也就是shellcode,就是在漏洞利用成功后所要做的事情.在M ...
- CBO基础概念
CBO基础概念 CBO:评估 I/O,CPU,网络(DBLINK)等消耗的资源成本得出 一.cardinality cardinality:集合中包含的记录数.实际CBO评估目标SQL执行具体步骤的记 ...
- 改变GridView中列的宽度
<asp:TemplateField HeaderText="规格型号" HeaderStyle-Width="24%">
- 《鸟哥的Linux私房菜》笔记——01. 计算机概论
计算机的五大部分:输入单元.输出单元.CPU(控制单元(Control Unit).算数逻辑单元(ALU)).内存. CPU 的架构 精简指令集(Reduced Instruction Set Com ...