Package: avahi-daemon Version: 0.6.27-2 Tags: security Severity: critical Justification: Introduces possible denial-of-service scenario.
Hi,
when I scan my server from another machine on the network using nmap, I
get this:
# nmap -sU -p5353 192.168.2.2
Starting Nmap 5.00 ( http://nmap.org ) at 2011-02-23 13:15 CET
Interesting ports on 192.168.2.2:
PORT STATE SERVICE
5353/udp open|filtered zeroconf
MAC Address: XX:XX:XX:XX:XX:XX (Netgear)
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
#
As soon as the scan starts, avahi-daemon on the server starts running
amok, top shows this:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
5535 avahi 20 0 33884 1600 1280 R 100 0.0 2:28.47
avahi-daemon
Restarting avahi-daemon is not possible:
# /etc/init.d/avahi-daemon restart
Restarting Avahi mDNS/DNS-SD Daemon: avahi-daemonFailed to kill daemon:
Timer expired
.
#
Simply terminating the process doesn't work either:
# ps -Af | grep avahi-daemon
avahi 5535 1 87 13:14 ? 00:04:43 avahi-daemon: running
[server.local]
avahi 5536 5535 0 13:14 ? 00:00:00 avahi-daemon: chroot
helper
root 5610 5581 0 13:20 pts/2 00:00:00 grep avahi-daemon
# kill 5535
# ps -Af | grep avahi-daemon
avahi 5535 1 88 13:14 ? 00:05:02 avahi-daemon: running
[server.local]
avahi 5536 5535 0 13:14 ? 00:00:00 avahi-daemon: chroot
helper
root 5614 5581 0 13:20 pts/2 00:00:00 grep avahi-daemon
#
Forcibly killing the process works:
# kill -9 5535
# ps -Af | grep avahi-daemon
root 5629 5581 0 13:23 pts/2 00:00:00 grep avahi-daemon
#
I don't know what kind of data nmap sends when scanning for open UDP
ports, but it definitely shouldn't cause avahi-daemon to run amok.
Please note that I have not changed the Avahi configuration in any way,
so you should be able to reproduce this easily. Please tell me if you
need any more information!
Best regards
Alexander Kurtz
signature.asc
Description: This is a digitally signed message part
