mDNSResponder contains multiple memory-based vulnerabilities

Overview

mDNSResponder provides unicast and multicast mDNS services on UNIX-like operating systems such as OS X. mDNSResponder version 379.27 and above prior to version 625.41.2 is vulnerable to several buffer overflow vulnerabilities, as well as a null pointer dereference.

Description

CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) - CVE-2015-7987

Improper bounds checking in “GetValueForIPv4Addr()”, “GetValueForMACAddr()”, “rfc3110_import()”, and “CopyNSEC3ResourceRecord()” functions may allow an attacker to read or write memory.

CWE-476: NULL Pointer Dereference - CVE-2015-7988

Improper input validation in “handle_regservice_request()” may allow an attacker to execute arbitrary code or cause a denial of service.

Apple has also issued a security advisory for these issues.

mDNSResponder-379.27 and later before mDNSResponder-625.41.2 are vulnerable to both issues. The CVSS score below is based on CVE-2015-7987.

---

Impact

A remote attacker may be able to execute arbitrary code or cause a denial of service on the system running mDNSResponder.

---

Solution

Apply an update

mDNSResponder 625.41.2 has been released to address these issues. Affected users should update as soon as possible.

---

Vendor Information

143335

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Android Open Source Project __ Affected

Notified: November 03, 2015 Updated: January 27, 2016

Statement Date: January 27, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Android is affected by CVE-2015-7988; fix targeted for next major build of Android (Android N).

Apple Affected

Notified: October 16, 2015 Updated: October 23, 2015

Statement Date: October 16, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc. Not Affected

Notified: January 22, 2016 Updated: February 15, 2016

Statement Date: February 12, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CoreOS Not Affected

Notified: January 22, 2016 Updated: January 25, 2016

Statement Date: January 23, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Not Affected

Notified: October 23, 2015 Updated: October 23, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Not Affected

Notified: October 23, 2015 Updated: January 22, 2016

Statement Date: January 22, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox Not Affected

Notified: January 22, 2016 Updated: January 25, 2016

Statement Date: January 22, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation Not Affected

Notified: January 22, 2016 Updated: January 25, 2016

Statement Date: January 25, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Not Affected

Notified: October 23, 2015 Updated: January 22, 2016

Statement Date: January 22, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

AT&T Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alcatel-Lucent Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Arch Linux Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Aruba Networks Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Avaya, Inc. Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Belkin, Inc. Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Blue Coat Systems Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CA Technologies Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CentOS Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Check Point Software Technologies Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cisco Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

D-Link Systems, Inc. Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DesktopBSD Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EfficientIP SAS Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Enterasys Networks Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Extreme Networks Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

F5 Networks, Inc. Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Force10 Networks Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

FreeBSD Project Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Gentoo Linux Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Google Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hardened BSD Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett-Packard Company Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Huawei Technologies Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM eServer Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Internet Systems Consortium Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Internet Systems Consortium - DHCP Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Lenovo Unknown

Notified: June 15, 2016 Updated: June 15, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Mandriva S. A. Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

McAfee Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsoft Corporation Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nominum Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OmniTI Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenBSD Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenDNS Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Openwall GNU/*/Linux Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

PC-BSD Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Peplink Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Q1 Labs Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SUSE Linux Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Secure64 Software Corporation Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Slackware Linux Inc. Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SmoothWall Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Snort Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sourcefire Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Symantec Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TippingPoint Technologies Inc. Unknown

Notified: March 25, 2016 Updated: March 25, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ubuntu Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

VMware Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Wind River Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

ZyXEL Unknown

Notified: January 22, 2016 Updated: January 22, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

dnsmasq Unknown

Notified: March 22, 2016 Updated: March 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

m0n0wall Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

openSUSE project Unknown

Notified: October 23, 2015 Updated: October 23, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 79 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	6.8	AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal	5.3	E:POC/RL:OF/RC:C
Environmental	4.0	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <https://support.apple.com/en-us/HT206846&gt;
• <http://www.opensource.apple.com/tarballs/mDNSResponder/&gt;
• <https://developer.apple.com/bonjour/&gt;
• <http://cwe.mitre.org/data/definitions/120.html&gt;
• <http://cwe.mitre.org/data/definitions/476.html&gt;

Acknowledgements

Thanks to Apple for reporting this issue to us and working with us to coordinate the fix with vendors.

This document was written by Garret Wassermann.

Other Information

CVE IDs:	CVE-2015-7987, CVE-2015-7988
Date Public:	2016-06-20 Date First Published: