{"id": "GENTOO_GLSA-202005-10.NASL", "bulletinFamily": "scanner", "title": "GLSA-202005-10 : libmicrodns: Multiple vulnerabilities", "description": "The remote host is affected by the vulnerability described in GLSA-202005-10\n(libmicrodns: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in libmicrodns. Please\n review the CVE identifiers and the upstream advisory referenced below for\n details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.", "published": "2020-05-15T00:00:00", "modified": "2020-05-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/136640", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.videolan.org/security/sb-vlc309.html", "https://security.gentoo.org/glsa/202005-10"], "cvelist": ["CVE-2020-6071", "CVE-2020-6077", "CVE-2020-6073", "CVE-2020-6080", "CVE-2020-6078", "CVE-2020-6079", "CVE-2020-6072"], "type": "nessus", "lastseen": "2020-06-19T10:27:39", "edition": 3, "viewCount": 16, "enchantments": {"dependencies": {"references": [{"type": "gentoo", "idList": ["GLSA-202005-10"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4671-1:D12B2"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704671"]}, {"type": "nessus", "idList": ["VLC_3_0_9.NASL", "DEBIAN_DSA-4671.NASL"]}, {"type": "archlinux", "idList": ["ASA-202004-24"]}, {"type": "kaspersky", "idList": ["KLA11759"]}, {"type": "cve", "idList": ["CVE-2020-6071", "CVE-2020-6079", "CVE-2020-6080", "CVE-2020-6072", "CVE-2020-6078", "CVE-2020-6073", "CVE-2020-6077"]}, {"type": "talos", "idList": ["TALOS-2020-0996", "TALOS-2020-1000", "TALOS-2020-1001", "TALOS-2020-0995", "TALOS-2020-0994", "TALOS-2020-1002"]}], "modified": "2020-06-19T10:27:39", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2020-06-19T10:27:39", "rev": 2}, "vulnersScore": 6.4}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202005-10.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136640);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/18\");\n\n script_cve_id(\"CVE-2020-6071\", \"CVE-2020-6072\", \"CVE-2020-6073\", \"CVE-2020-6077\", \"CVE-2020-6078\", \"CVE-2020-6079\", \"CVE-2020-6080\");\n script_xref(name:\"GLSA\", value:\"202005-10\");\n script_xref(name:\"IAVB\", value:\"2020-B-0025\");\n\n script_name(english:\"GLSA-202005-10 : libmicrodns: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-202005-10\n(libmicrodns: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in libmicrodns. Please\n review the CVE identifiers and the upstream advisory referenced below for\n details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.videolan.org/security/sb-vlc309.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202005-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All libmicrodns users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-libs/libmicrodns-0.1.2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:libmicrodns\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/15\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-libs/libmicrodns\", unaffected:make_list(\"ge 0.1.2\"), vulnerable:make_list(\"lt 0.1.2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libmicrodns\");\n}\n", "naslFamily": "Gentoo Local Security Checks", "pluginID": "136640", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:libmicrodns"], "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "scheme": null}

{"gentoo": [{"lastseen": "2020-05-15T03:08:34", "bulletinFamily": "unix", "cvelist": ["CVE-2020-6071", "CVE-2020-6077", "CVE-2020-6073", "CVE-2020-6080", "CVE-2020-6078", "CVE-2020-6079", "CVE-2020-6072"], "description": "### Background\n\nlibmicrodns is an mDNS library, focused on being simple and cross-platform. \n\n### Description\n\nMultiple vulnerabilities have been discovered in libmicrodns. Please review the CVE identifiers and the upstream advisory referenced below for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll libmicrodns users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/libmicrodns-0.1.2\"", "edition": 1, "modified": "2020-05-14T00:00:00", "published": "2020-05-14T00:00:00", "id": "GLSA-202005-10", "href": "https://security.gentoo.org/glsa/202005-10", "title": "libmicrodns: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-08-12T01:06:54", "bulletinFamily": "unix", "cvelist": ["CVE-2020-6071", "CVE-2020-6077", "CVE-2020-6073", "CVE-2020-6080", "CVE-2020-6078", "CVE-2020-6079", "CVE-2020-6072"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4671-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nApril 30, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : vlc\nCVE ID : CVE-2020-6071 CVE-2020-6072 CVE-2020-6073 CVE-2020-6077 \n CVE-2020-6078 CVE-2020-6079 CVE-2020-6080\n\nMultiple security issues were discovered in the microdns plugin of the\nVLC media player, which could result in denial of service or potentially\nthe execution of arbitrary code via malicious mDNS packets.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 3.0.10-0+deb9u1. This update disables the microdns plugin.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 3.0.10-0+deb10u1. This update disables the microdns plugin.\n\nWe recommend that you upgrade your vlc packages.\n\nFor the detailed security status of vlc please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/vlc\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 9, "modified": "2020-04-30T20:48:20", "published": "2020-04-30T20:48:20", "id": "DEBIAN:DSA-4671-1:D12B2", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00074.html", "title": "[SECURITY] [DSA 4671-1] vlc security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-05-06T01:15:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6071", "CVE-2020-6077", "CVE-2020-6073", "CVE-2020-6080", "CVE-2020-6078", "CVE-2020-6079", "CVE-2020-6072"], "description": "The remote host is missing an update for the ", "modified": "2020-05-02T00:00:00", "published": "2020-05-02T00:00:00", "id": "OPENVAS:1361412562310704671", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704671", "type": "openvas", "title": "Debian: Security Advisory for vlc (DSA-4671-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704671\");\n script_version(\"2020-05-02T03:00:23+0000\");\n script_cve_id(\"CVE-2020-6071\", \"CVE-2020-6072\", \"CVE-2020-6073\", \"CVE-2020-6077\", \"CVE-2020-6078\", \"CVE-2020-6079\", \"CVE-2020-6080\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-02 03:00:23 +0000 (Sat, 02 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-02 03:00:23 +0000 (Sat, 02 May 2020)\");\n script_name(\"Debian: Security Advisory for vlc (DSA-4671-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|10)\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2020/dsa-4671.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4671-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'vlc'\n package(s) announced via the DSA-4671-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple security issues were discovered in the microdns plugin of the\nVLC media player, which could result in denial of service or potentially\nthe execution of arbitrary code via malicious mDNS packets.\");\n\n script_tag(name:\"affected\", value:\"'vlc' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (stretch), these problems have been fixed\nin version 3.0.10-0+deb9u1. This update disables the microdns plugin.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 3.0.10-0+deb10u1. This update disables the microdns plugin.\n\nWe recommend that you upgrade your vlc packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libvlc-bin\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libvlc-dev\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libvlc5\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libvlccore-dev\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libvlccore9\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-bin\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-data\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-l10n\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-nox\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-access-extra\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-base\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-fluidsynth\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-jack\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-notify\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-qt\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-samba\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-skins2\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-svg\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-video-output\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-video-splitter\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-visualization\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-zvbi\", ver:\"3.0.10-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libvlc-bin\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libvlc-dev\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libvlc5\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libvlccore-dev\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libvlccore9\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-bin\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-data\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-l10n\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-access-extra\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-base\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-fluidsynth\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-jack\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-notify\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-qt\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-samba\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-skins2\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-svg\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-video-output\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-video-splitter\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-visualization\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vlc-plugin-zvbi\", ver:\"3.0.10-0+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:39", "bulletinFamily": "unix", "cvelist": ["CVE-2020-6071", "CVE-2020-6072", "CVE-2020-6073", "CVE-2020-6077", "CVE-2020-6078", "CVE-2020-6079", "CVE-2020-6080"], "description": "Arch Linux Security Advisory ASA-202004-24\n==========================================\n\nSeverity: Critical\nDate : 2020-04-30\nCVE-ID : CVE-2020-6071 CVE-2020-6072 CVE-2020-6073 CVE-2020-6077\nCVE-2020-6078 CVE-2020-6079 CVE-2020-6080\nPackage : libmicrodns\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1136\n\nSummary\n=======\n\nThe package libmicrodns before version 0.1.2-1 is vulnerable to\nmultiple issues including arbitrary code execution, denial of service\nand information disclosure.\n\nResolution\n==========\n\nUpgrade to 0.1.2-1.\n\n# pacman -Syu \"libmicrodns>=0.1.2-1\"\n\nThe problems have been fixed upstream in version 0.1.2.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2020-6071 (denial of service)\n\nAn exploitable denial-of-service vulnerability exists in the resource\nrecord-parsing functionality of Videolabs libmicrodns 0.1.0. When\nparsing compressed labels in mDNS messages, the compression pointer is\nfollowed without checking for recursion, leading to a denial of\nservice. An attacker can send an mDNS message to trigger this\nvulnerability.\n\n- CVE-2020-6072 (arbitrary code execution)\n\nAn exploitable code execution vulnerability exists in the label-parsing\nfunctionality of Videolabs libmicrodns 0.1.0. When parsing compressed\nlabels in mDNS messages, the rr_decode function's return value is not\nchecked, leading to a double free that could be exploited to execute\narbitrary code. An attacker can send an mDNS message to trigger this\nvulnerability.\n\n- CVE-2020-6073 (information disclosure)\n\nAn exploitable denial-of-service vulnerability exists in the TXT\nrecord-parsing functionality of Videolabs libmicrodns 0.1.0. When\nparsing the RDATA section in a TXT record in mDNS messages, multiple\ninteger overflows can be triggered, leading to a denial of service. An\nattacker can send an mDNS message to trigger this vulnerability.\n\n- CVE-2020-6077 (information disclosure)\n\nAn exploitable denial-of-service vulnerability exists in the message-\nparsing functionality of Videolabs libmicrodns 0.1.0. When parsing mDNS\nmessages, the implementation does not properly keep track of the\navailable data in the message, possibly leading to an out-of-bounds\nread that would result in a denial of service. An attacker can send an\nmDNS message to trigger this vulnerability.\n\n- CVE-2020-6078 (denial of service)\n\nAn exploitable denial-of-service vulnerability exists in the message-\nparsing functionality of Videolabs libmicrodns 0.1.0. When parsing mDNS\nmessages in mdns_recv, the return value of the mdns_read_header\nfunction is not checked, leading to an uninitialized variable usage\nthat eventually results in a null pointer dereference, leading to\nservice crash. An attacker can send a series of mDNS messages to\ntrigger this vulnerability.\n\n- CVE-2020-6079 (denial of service)\n\nMultiple exploitable denial-of-service vulnerabilities exist in the\nresource allocation handling of Videolabs libmicrodns 0.1.0. When\nencountering errors while parsing mDNS messages, some allocated data is\nnot freed, possibly leading to a denial-of-service condition via\nresource exhaustion. An attacker can send one mDNS message repeatedly\nto trigger these vulnerabilities.\n\n- CVE-2020-6080 (denial of service)\n\nMultiple exploitable denial-of-service vulnerabilities exist in the\nresource allocation handling of Videolabs libmicrodns 0.1.0. When\nencountering errors while parsing mDNS messages, some allocated data is\nnot freed, possibly leading to a denial-of-service condition via\nresource exhaustion. An attacker can send one mDNS message repeatedly\nto trigger these vulnerabilities.\n\nImpact\n======\n\nA remote attacker can provide crafted DNS responses to crash the\nservice, disclose data or execute arbitrary code.\n\nReferences\n==========\n\nhttps://github.com/videolabs/libmicrodns/releases/tag/0.1.1\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2020-0994\nhttps://github.com/videolabs/libmicrodns/commit/0103f40371cd6e5f034d1ea5674cd33316fef518\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2020-0995\nhttps://github.com/videolabs/libmicrodns/commit/219b180c3cea9ad674a5512412fbd75592f61aa7\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2020-0996\nhttps://github.com/videolabs/libmicrodns/commit/f0e8a723ef2d0a7ef9e200a8fd7c561d4695c5cf\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2020-1000\nhttps://github.com/videolabs/libmicrodns/commit/80860fad7e046959b730a0e37fd8d6ad955682ec\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2020-1001\nhttps://github.com/videolabs/libmicrodns/commit/4fb18284bea9a4f5eaf7745d72965b9b24e27d61\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2020-1002\nhttps://github.com/videolabs/libmicrodns/commit/9768bdbeb8ea6b7849a97af4362d1b5184352cee\nhttps://security.archlinux.org/CVE-2020-6071\nhttps://security.archlinux.org/CVE-2020-6072\nhttps://security.archlinux.org/CVE-2020-6073\nhttps://security.archlinux.org/CVE-2020-6077\nhttps://security.archlinux.org/CVE-2020-6078\nhttps://security.archlinux.org/CVE-2020-6079\nhttps://security.archlinux.org/CVE-2020-6080", "modified": "2020-04-30T00:00:00", "published": "2020-04-30T00:00:00", "id": "ASA-202004-24", "href": "https://security.archlinux.org/ASA-202004-24", "type": "archlinux", "title": "[ASA-202004-24] libmicrodns: multiple issues", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-05-09T09:18:29", "description": "Multiple security issues were discovered in the microdns plugin of the\nVLC media player, which could result in denial of service or\npotentially the execution of arbitrary code via malicious mDNS\npackets.", "edition": 3, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-04T00:00:00", "title": "Debian DSA-4671-1 : vlc - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6071", "CVE-2020-6077", "CVE-2020-6073", "CVE-2020-6080", "CVE-2020-6078", "CVE-2020-6079", "CVE-2020-6072"], "modified": "2020-05-04T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "p-cpe:/a:debian:debian_linux:vlc", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4671.NASL", "href": "https://www.tenable.com/plugins/nessus/136291", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4671. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136291);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/08\");\n\n script_cve_id(\"CVE-2020-6071\", \"CVE-2020-6072\", \"CVE-2020-6073\", \"CVE-2020-6077\", \"CVE-2020-6078\", \"CVE-2020-6079\", \"CVE-2020-6080\");\n script_xref(name:\"DSA\", value:\"4671\");\n script_xref(name:\"IAVB\", value:\"2020-B-0025\");\n\n script_name(english:\"Debian DSA-4671-1 : vlc - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple security issues were discovered in the microdns plugin of the\nVLC media player, which could result in denial of service or\npotentially the execution of arbitrary code via malicious mDNS\npackets.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/vlc\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/vlc\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/vlc\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4671\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the vlc packages.\n\nFor the oldstable distribution (stretch), these problems have been\nfixed in version 3.0.10-0+deb9u1. This update disables the microdns\nplugin.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 3.0.10-0+deb10u1. This update disables the microdns plugin.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:vlc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/04\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"libvlc-bin\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libvlc-dev\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libvlc5\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libvlccore-dev\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libvlccore9\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-bin\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-data\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-l10n\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-access-extra\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-base\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-fluidsynth\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-jack\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-notify\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-qt\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-samba\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-skins2\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-svg\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-video-output\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-video-splitter\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-visualization\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vlc-plugin-zvbi\", reference:\"3.0.10-0+deb10u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libvlc-bin\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libvlc-dev\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libvlc5\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libvlccore-dev\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libvlccore8\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-bin\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-data\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-l10n\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-nox\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-access-extra\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-base\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-fluidsynth\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-jack\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-notify\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-qt\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-samba\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-sdl\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-skins2\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-svg\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-video-output\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-video-splitter\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-visualization\", reference:\"3.0.10-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"vlc-plugin-zvbi\", reference:\"3.0.10-0+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T19:31:20", "description": "The version of VLC media player installed on the remote Windows host is prior to 3.0.9. It is, therefore, affected by \nmultiple vulnerabilities:\n\n - An exploitable denial-of-service vulnerability exists in the resource record-parsing functionality of Videolabs \n libmicrodns 0.1.0. When parsing compressed labels in mDNS messages, the compression pointer is followed without checking \n for recursion, leading to a denial of service. An attacker can send an mDNS message to trigger this vulnerability \n (CVE-2020-6071). \n\n - An exploitable code execution vulnerability exists in the label-parsing functionality of Videolabs libmicrodns 0.1.0. \n When parsing compressed labels in mDNS messages, the rr_decode function's return value is not checked, leading to a \n double free that could be exploited to execute arbitrary code. An attacker can send an mDNS message to trigger this \n vulnerability (CVE-2020-6072).\n\n - An exploitable denial-of-service vulnerability exists in the TXT record-parsing functionality of Videolabs libmicrodns 0.1.0. \n When parsing the RDATA section in a TXT record in mDNS messages, multiple integer overflows can be triggered, leading to a denial \n of service. An attacker can send an mDNS message to trigger this vulnerability (CVE-2020-6073).\n\n - An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0. \n When parsing mDNS messages, the implementation does not properly keep track of the available data in the message, possibly leading \n to an out-of-bounds read that would result in a denial of service. An attacker can send an mDNS message to trigger this \n vulnerability (CVE-2020-6077).\n\n - An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0. \n When parsing mDNS messages in mdns_recv, the return value of the mdns_read_header function is not checked, leading to an uninitialized \n variable usage that eventually results in a null pointer dereference, leading to service crash. An attacker can send a series of \n mDNS messages to trigger this vulnerability (CVE-2020-6078).\n\n - An exploitable denial-of-service vulnerability exists in the resource allocation handling of Videolabs libmicrodns 0.1.0. \n When encountering errors while parsing mDNS messages, some allocated data is not freed, possibly leading to a denial-of-service \n condition via resource exhaustion. An attacker can send one mDNS message repeatedly to trigger this vulnerability through decoding \n of the domain name performed by rr_decode (CVE-2020-6079).", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-08T00:00:00", "title": "VLC < 3.0.9 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6071", "CVE-2020-6077", "CVE-2020-6073", "CVE-2020-6078", "CVE-2020-6079", "CVE-2019-19721", "CVE-2020-6072"], "modified": "2020-05-08T00:00:00", "cpe": ["cpe:/a:videolan:vlc_media_player"], "id": "VLC_3_0_9.NASL", "href": "https://www.tenable.com/plugins/nessus/136422", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136422);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/13\");\n\n script_cve_id(\n \"CVE-2019-19721\",\n \"CVE-2020-6071\",\n \"CVE-2020-6072\",\n \"CVE-2020-6073\",\n \"CVE-2020-6077\",\n \"CVE-2020-6078\",\n \"CVE-2020-6079\"\n );\n script_xref(name:\"IAVB\", value:\"2020-B-0025\");\n\n script_name(english:\"VLC < 3.0.9 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a media player that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VLC media player installed on the remote Windows host is prior to 3.0.9. It is, therefore, affected by \nmultiple vulnerabilities:\n\n - An exploitable denial-of-service vulnerability exists in the resource record-parsing functionality of Videolabs \n libmicrodns 0.1.0. When parsing compressed labels in mDNS messages, the compression pointer is followed without checking \n for recursion, leading to a denial of service. An attacker can send an mDNS message to trigger this vulnerability \n (CVE-2020-6071). \n\n - An exploitable code execution vulnerability exists in the label-parsing functionality of Videolabs libmicrodns 0.1.0. \n When parsing compressed labels in mDNS messages, the rr_decode function's return value is not checked, leading to a \n double free that could be exploited to execute arbitrary code. An attacker can send an mDNS message to trigger this \n vulnerability (CVE-2020-6072).\n\n - An exploitable denial-of-service vulnerability exists in the TXT record-parsing functionality of Videolabs libmicrodns 0.1.0. \n When parsing the RDATA section in a TXT record in mDNS messages, multiple integer overflows can be triggered, leading to a denial \n of service. An attacker can send an mDNS message to trigger this vulnerability (CVE-2020-6073).\n\n - An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0. \n When parsing mDNS messages, the implementation does not properly keep track of the available data in the message, possibly leading \n to an out-of-bounds read that would result in a denial of service. An attacker can send an mDNS message to trigger this \n vulnerability (CVE-2020-6077).\n\n - An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0. \n When parsing mDNS messages in mdns_recv, the return value of the mdns_read_header function is not checked, leading to an uninitialized \n variable usage that eventually results in a null pointer dereference, leading to service crash. An attacker can send a series of \n mDNS messages to trigger this vulnerability (CVE-2020-6078).\n\n - An exploitable denial-of-service vulnerability exists in the resource allocation handling of Videolabs libmicrodns 0.1.0. \n When encountering errors while parsing mDNS messages, some allocated data is not freed, possibly leading to a denial-of-service \n condition via resource exhaustion. An attacker can send one mDNS message repeatedly to trigger this vulnerability through decoding \n of the domain name performed by rr_decode (CVE-2020-6079).\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.videolan.org/security/sb-vlc309.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VLC version 3.0.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6072\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:videolan:vlc_media_player\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vlc_installed.nasl\");\n script_require_keys(\"SMB/VLC/Version\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'VLC media player', win_local:TRUE);\n\nconstraints = [{'fixed_version':'3.0.9'}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2020-09-02T12:02:23", "bulletinFamily": "info", "cvelist": ["CVE-2020-6071", "CVE-2020-6077", "CVE-2020-6073", "CVE-2020-6078", "CVE-2020-6079", "CVE-2020-6072"], "description": "### *Detect date*:\n04/29/2020\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple vulnerabilities were found in VLC media player. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code.\n\n### *Affected products*:\nVLC media player version 3.0.0 to 3.0.8\n\n### *Solution*:\nUpdate to the latest version \n[Download VLC media player](<http://www.videolan.org/vlc/index.html>)\n\n### *Original advisories*:\n[sb-vlc309](<https://www.videolan.org/security/sb-vlc309.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[VLC media player](<https://threats.kaspersky.com/en/product/VLC-media-player/>)\n\n### *CVE-IDS*:\n[CVE-2020-6071](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6071>)0.0Unknown \n[CVE-2020-6072](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6072>)0.0Unknown \n[CVE-2020-6073](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6073>)0.0Unknown \n[CVE-2020-6077](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6077>)0.0Unknown \n[CVE-2020-6078](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6078>)0.0Unknown \n[CVE-2020-6079](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6079>)0.0Unknown", "edition": 1, "modified": "2020-05-29T00:00:00", "published": "2020-04-29T00:00:00", "id": "KLA11759", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11759", "title": "\r KLA11759Multiple vulnerabilities in VLC media player ", "type": "kaspersky", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-10-03T12:55:57", "description": "An exploitable denial-of-service vulnerability exists in the TXT record-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing the RDATA section in a TXT record in mDNS messages, multiple integer overflows can be triggered, leading to a denial of service. An attacker can send an mDNS message to trigger this vulnerability.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-03-24T21:15:00", "title": "CVE-2020-6073", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6073"], "modified": "2020-05-15T00:15:00", "cpe": ["cpe:/a:videolabs:libmicrodns:0.1.0"], "id": "CVE-2020-6073", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6073", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:videolabs:libmicrodns:0.1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:55:57", "description": "An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing mDNS messages in mdns_recv, the return value of the mdns_read_header function is not checked, leading to an uninitialized variable usage that eventually results in a null pointer dereference, leading to service crash. An attacker can send a series of mDNS messages to trigger this vulnerability.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-03-24T21:15:00", "title": "CVE-2020-6078", "type": "cve", "cwe": ["CWE-252", "CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6078"], "modified": "2020-05-15T00:15:00", "cpe": ["cpe:/a:videolabs:libmicrodns:0.1.0"], "id": "CVE-2020-6078", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6078", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:videolabs:libmicrodns:0.1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:55:57", "description": "An exploitable code execution vulnerability exists in the label-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing compressed labels in mDNS messages, the rr_decode function's return value is not checked, leading to a double free that could be exploited to execute arbitrary code. An attacker can send an mDNS message to trigger this vulnerability.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-24T21:15:00", "title": "CVE-2020-6072", "type": "cve", "cwe": ["CWE-415"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6072"], "modified": "2020-05-15T00:15:00", "cpe": ["cpe:/a:videolabs:libmicrodns:0.1.0"], "id": "CVE-2020-6072", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6072", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:videolabs:libmicrodns:0.1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:55:57", "description": "An exploitable denial-of-service vulnerability exists in the resource allocation handling of Videolabs libmicrodns 0.1.0. When encountering errors while parsing mDNS messages, some allocated data is not freed, possibly leading to a denial-of-service condition via resource exhaustion. An attacker can send one mDNS message repeatedly to trigger this vulnerability through the function rr_read_RR [5] reads the current resource record, except for the RDATA section. This is read by the loop at in rr_read. For each RR type, a different function is called. When the RR type is 0x10, the function rr_read_TXT is called at [6].", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-03-24T21:15:00", "title": "CVE-2020-6080", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6080"], "modified": "2020-05-15T00:15:00", "cpe": ["cpe:/a:videolabs:libmicrodns:0.1.0"], "id": "CVE-2020-6080", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6080", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:videolabs:libmicrodns:0.1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:55:57", "description": "An exploitable denial-of-service vulnerability exists in the resource record-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing compressed labels in mDNS messages, the compression pointer is followed without checking for recursion, leading to a denial of service. An attacker can send an mDNS message to trigger this vulnerability.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-03-24T21:15:00", "title": "CVE-2020-6071", "type": "cve", "cwe": ["CWE-674"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6071"], "modified": "2020-05-15T00:15:00", "cpe": ["cpe:/a:videolabs:libmicrodns:0.1.0"], "id": "CVE-2020-6071", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6071", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:videolabs:libmicrodns:0.1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:55:57", "description": "An exploitable denial-of-service vulnerability exists in the resource allocation handling of Videolabs libmicrodns 0.1.0. When encountering errors while parsing mDNS messages, some allocated data is not freed, possibly leading to a denial-of-service condition via resource exhaustion. An attacker can send one mDNS message repeatedly to trigger this vulnerability through decoding of the domain name performed by rr_decode.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-03-24T21:15:00", "title": "CVE-2020-6079", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6079"], "modified": "2020-05-15T00:15:00", "cpe": ["cpe:/a:videolabs:libmicrodns:0.1.0"], "id": "CVE-2020-6079", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6079", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:videolabs:libmicrodns:0.1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:55:57", "description": "An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing mDNS messages, the implementation does not properly keep track of the available data in the message, possibly leading to an out-of-bounds read that would result in a denial of service. An attacker can send an mDNS message to trigger this vulnerability.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-03-24T21:15:00", "title": "CVE-2020-6077", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6077"], "modified": "2020-05-15T00:15:00", "cpe": ["cpe:/a:videolabs:libmicrodns:0.1.0"], "id": "CVE-2020-6077", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6077", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:videolabs:libmicrodns:0.1.0:*:*:*:*:*:*:*"]}], "talos": [{"lastseen": "2020-09-30T22:44:19", "bulletinFamily": "info", "cvelist": ["CVE-2020-6080", "CVE-2020-6079"], "description": "# Talos Vulnerability Report\n\n### TALOS-2020-1002\n\n## Videolabs libmicrodns 0.1.0 resource allocation denial-of-service vulnerabilities\n\n##### March 23, 2020\n\n##### CVE Number\n\nCVE-2020-6079, CVE-2020-6080\n\n### Summary\n\nMultiple exploitable denial-of-service vulnerabilities exist in the resource allocation handling of Videolabs libmicrodns 0.1.0. When encountering errors while parsing mDNS messages, some allocated data is not freed, possibly leading to a denial-of-service condition via resource exhaustion. An attacker can send one mDNS message repeatedly to trigger these vulnerabilities.\n\n### Tested Versions\n\nVideolabs libmicrodns 0.1.0\n\n### Product URLs\n\n<https://github.com/videolabs/libmicrodns>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-400: Uncontrolled Resource Consumption (\u2018Resource Exhaustion\u2019)\n\n### Details\n\nThe libmicrodns library is an mDNS resolver that aims to be simple and compatible cross-platform.\n\nThe function `mdns_recv` reads and parses an mDNS message:\n \n \n static int\n mdns_recv(const struct mdns_conn* conn, struct mdns_hdr *hdr, struct rr_entry **entries)\n {\n uint8_t buf[MDNS_PKT_MAXSZ];\n size_t num_entry, n;\n ssize_t length;\n struct rr_entry *entry;\n \n *entries = NULL;\n if ((length = recv(conn->sock, (char *) buf, sizeof(buf), 0)) < 0) // [1]\n return (MDNS_NETERR);\n \n const uint8_t *ptr = mdns_read_header(buf, length, hdr); // [2]\n n = length;\n \n num_entry = hdr->num_qn + hdr->num_ans_rr + hdr->num_add_rr;\n for (size_t i = 0; i < num_entry; ++i) {\n entry = calloc(1, sizeof(struct rr_entry));\n if (!entry)\n goto err;\n ptr = rr_read(ptr, &n, buf, entry, i >= hdr->num_qn); // [3]\n if (!ptr) {\n free(entry); // [4]\n errno = ENOSPC;\n goto err;\n }\n entry->next = *entries;\n *entries = entry;\n }\n ...\n }\n \n\nAt [1], a message is read from the network. The 12-bytes mDNS header is then parsed at [2]. Based on the header info, the loop parses each resource record (\u201cRR\u201d) using the function `rr_read` [3].\n \n \n const uint8_t *\n rr_read(const uint8_t *ptr, size_t *n, const uint8_t *root, struct rr_entry *entry, int8_t ans)\n {\n size_t skip;\n const uint8_t *p;\n \n p = ptr = rr_read_RR(ptr, n, root, entry, ans); // [5]\n if (ans == 0) return ptr;\n \n for (size_t i = 0; i < rr_num; ++i) {\n if (rrs[i].type == entry->type) {\n ptr = (*rrs[i].read)(ptr, n, root, entry); // [6]\n if (!ptr)\n return (NULL); // [7]\n break;\n }\n }\n ...\n \n\n#### CVE-2020-6079 - rr_decode\n\nThe function `rr_read`, in turn calls `rr_read_RR` [5]:\n \n \n static const uint8_t *\n rr_read_RR(const uint8_t *ptr, size_t *n, const uint8_t *root, struct rr_entry *entry, int8_t ans)\n {\n uint16_t tmp;\n \n ptr = rr_decode(ptr, n, root, &entry->name);\n if (!ptr || *n < 4)\n return (NULL); // [8]\n \n ptr = read_u16(ptr, n, &entry->type);\n ptr = read_u16(ptr, n, &tmp);\n entry->rr_class = (tmp & ~0x8000);\n entry->msbit = ((tmp & 0x8000) == 0x8000);\n if (ans) {\n if (*n < 6)\n return (NULL); // [9]\n ptr = read_u32(ptr, n, &entry->ttl);\n ptr = read_u16(ptr, n, &entry->data_len);\n }\n return ptr;\n }\n \n\nThe actual decoding of the domain name is performed by `rr_decode`:\n \n \n #define advance(x) ptr += x; *n -= x\n \n /*\n * Decodes a DN compressed format (RFC 1035)\n * e.g \"\\x03foo\\x03bar\\x00\" gives \"foo.bar\"\n */\n static const uint8_t *\n rr_decode(const uint8_t *ptr, size_t *n, const uint8_t *root, char **ss)\n {\n char *s;\n \n s = *ss = malloc(MDNS_DN_MAXSZ); // [10]\n if (!s)\n return (NULL);\n \n if (*ptr == 0) {\n *s = '\\0';\n advance(1);\n return (ptr);\n }\n ...\n advance(1);\n return (ptr);\n err: // [11]\n free(*ss);\n return (NULL);\n }\n \n\nThe function `rr_decode` allocates the `ss` buffer [10], which is only freed upon error [11]. This means that the caller of this function is responsible for free-ing this buffer.\n\nWe can see that, if the conditions at [8] or [9] are hit, the code would return NULL without free-ing the `entry->name` buffer (called `ss` in `rr_decode`). Eventually, `mdns_recv` will free the structure `entry` [4], but will not try to free anything inside it. Note however, that due to a bug discussed in TALOS-2020-1000, these conditions are not reachable.\n\nHowever, there is another opportunity to trigger this bug later, at [7]. Inside that loop, for each `RR` type, a different function is called. So, to trigger the `return NULL` at [7] an attacker could specify a message with an invalid `SRV`, `PTR`, `TXT`, `AAAA`, `A` structure, in order to make any of those functions to fail and return NULL.\n\n#### CVE-2020-6080 - `rr_read_TXT`\n\nThe function `rr_read_RR` [5] reads the current resource record, except for the `RDATA` section. This is read by the loop at in `rr_read`. For each `RR` type, a different function is called. When the `RR` type is 0x10, the function `rr_read_TXT` is called at [6].\n \n \n #define advance(x) ptr += x; *n -= x\n \n static const uint8_t *\n rr_read_TXT(const uint8_t *ptr, size_t *n, const uint8_t *root, struct rr_entry *entry)\n {\n union rr_data *data = &entry->data;\n uint16_t len = entry->data_len; // [15]\n uint8_t l;\n \n if (*n == 0 || *n < len)\n return (NULL);\n \n for (; len > 0; len -= l + 1) {\n struct rr_data_txt *text;\n \n memcpy(&l, ptr, sizeof(l)); // [12]\n advance(1);\n if (*n < l) // [16]\n return (NULL);\n text = malloc(sizeof(struct rr_data_txt)); // [14]\n if (!text)\n return (NULL);\n text->next = data->TXT;\n data->TXT = text;\n if (l > 0)\n memcpy(text->txt, ptr, l); // [13]\n text->txt[l] = '\\0';\n advance(l);\n }\n return (ptr);\n }\n \n\nThis function expects 4 parameters:\n\n * `ptr`: the pointer to the start of the label to parse\n * `n`: the number of remaining bytes in the message, starting from ptr\n * `root`: the pointer to the start of the mDNS message\n * `entry`: the entry struct, containing the parsed resource record\n\nThe function is supposed to extract each variable-length string from the `RDATA` section. In this case, it extracts a length in position 0 [12], and copies the data found in `text->txt` [13], after allocating space for it at [14]. During this parsing, `*n` and `len` are decremented accordingly. In this loop, `len` tracks the number of characters left to read in the same RDATA section, as previously declared in the `data_len` field [15].\n\nNote that, because of the loop, the code would parse multiple strings in the same `RDATA` section. However, if the condition at [16] is met, the function returns `NULL` (which suggests the caller function to discard the record altogether) without first free-ing the allocated `text` structures.\n\nThus, any TXT answer with more than one string in the `RDATA` section, when also containing an invalid string length at the end, would trigger the condition at [16], causing a resource leak. \nAn attacker can exploit this behavior by sending multiple TXT answers, exhausting the process memory and crashing the service.\n\n### Timeline\n\n2020-01-30 - Vendor Disclosure \n2020-03-20 - Vendor Patched \n \n2020-03-23 - Public Release\n\n##### Credit\n\nDiscovered by Claudio Bozzato of Cisco Talos. \n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-1039\n\nPrevious Report\n\nTALOS-2020-1001\n", "edition": 11, "modified": "2020-03-23T00:00:00", "published": "2020-03-23T00:00:00", "id": "TALOS-2020-1002", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1002", "title": "Videolabs libmicrodns 0.1.0 resource allocation denial-of-service vulnerabilities", "type": "talos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-01T21:25:01", "bulletinFamily": "info", "cvelist": ["CVE-2020-6078"], "description": "# Talos Vulnerability Report\n\n### TALOS-2020-1001\n\n## Videolabs libmicrodns 0.1.0 mdns_recv return value denial-of-service vulnerability\n\n##### March 23, 2020\n\n##### CVE Number\n\nCVE-2020-6078\n\n### Summary\n\nAn exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing mDNS messages in `mdns_recv`, the return value of the `mdns_read_header` function is not checked, leading to an uninitialized variable usage that eventually results in a null pointer dereference, leading to service crash. An attacker can send a series of mDNS messages to trigger this vulnerability.\n\n### Tested Versions\n\nVideolabs libmicrodns 0.1.0\n\n### Product URLs\n\n<https://github.com/videolabs/libmicrodns>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-252: Unchecked Return Value\n\n### Details\n\nThe libmicrodns library is an mDNS resolver that aims to be simple and compatible cross-platform.\n\nThe function `mdns_listen_probe_network` handles the data structures used for the reception of mDNS messages. It declares an `mdns_hdr` that stores the header of the last mDNS message processed. It also calls `mdns_recv` [2], which actually fills this structure and parses the rest of the mDNS message. As we can see, the structure is initialized to `0`, but it\u2019s left untouched inside the `mdns_recv` loop.\n \n \n struct mdns_hdr {\n uint16_t id;\n uint16_t flags;\n uint16_t num_qn;\n uint16_t num_ans_rr;\n uint16_t num_auth_rr;\n uint16_t num_add_rr;\n };\n \n ...\n \n static int\n mdns_listen_probe_network(const struct mdns_ctx *ctx, const char *const names[],\n unsigned int nb_names, mdns_listen_callback callback,\n void *p_cookie)\n {\n struct mdns_hdr ahdr = {0}; // [1]\n struct rr_entry *entries;\n struct pollfd *pfd = alloca( sizeof(*pfd) * ctx->nb_conns );\n int r;\n \n for (size_t i = 0; i < ctx->nb_conns; ++i) {\n pfd[i].fd = ctx->conns[i].sock;\n pfd[i].events = POLLIN;\n }\n \n r = poll(pfd, ctx->nb_conns, 1000);\n if (r <= 0) {\n return r;\n }\n for (size_t i = 0; i < ctx->nb_conns; ++i) {\n if ((pfd[i].revents & POLLIN) == 0)\n continue;\n r = mdns_recv(&ctx->conns[i], &ahdr, &entries); // [2]\n if (r == MDNS_NETERR && os_wouldblock())\n {\n mdns_free(entries);\n continue;\n }\n \n if (ahdr.num_ans_rr + ahdr.num_add_rr == 0)\n {\n mdns_free(entries);\n continue;\n }\n \n for (struct rr_entry *entry = entries; entry; entry = entry->next) {\n for (unsigned int i = 0; i < nb_names; ++i) {\n if (!strrcmp(entry->name, names[i])) {\n callback(p_cookie, r, entries);\n break;\n }\n }\n }\n mdns_free(entries);\n }\n return 0;\n }\n \n\nThe function `mdns_recv` reads and parses an mDNS message:\n \n \n static int\n mdns_recv(const struct mdns_conn* conn, struct mdns_hdr *hdr, struct rr_entry **entries)\n {\n uint8_t buf[MDNS_PKT_MAXSZ];\n size_t num_entry, n;\n ssize_t length;\n struct rr_entry *entry;\n \n *entries = NULL;\n if ((length = recv(conn->sock, (char *) buf, sizeof(buf), 0)) < 0) // [3]\n return (MDNS_NETERR);\n \n const uint8_t *ptr = mdns_read_header(buf, length, hdr); // [4]\n n = length;\n \n num_entry = hdr->num_qn + hdr->num_ans_rr + hdr->num_add_rr; // [5]\n for (size_t i = 0; i < num_entry; ++i) {\n entry = calloc(1, sizeof(struct rr_entry));\n if (!entry)\n goto err;\n ptr = rr_read(ptr, &n, buf, entry, i >= hdr->num_qn); // [6]\n if (!ptr) {\n free(entry);\n errno = ENOSPC;\n goto err;\n }\n entry->next = *entries;\n *entries = entry;\n }\n ...\n }\n \n\nAt [3], a message is read from the network. The 12-bytes mDNS header is then parsed at [4]. If at least one question/resource-record is found [5], the loop parses the remaining data in the message. by calling `rr_read` [6].\n \n \n static const uint8_t *\n mdns_read_header(const uint8_t *ptr, size_t n, struct mdns_hdr *hdr)\n {\n if (n <= sizeof(struct mdns_hdr)) {\n errno = ENOSPC;\n return NULL; // [7]\n }\n ptr = read_u16(ptr, &n, &hdr->id);\n ptr = read_u16(ptr, &n, &hdr->flags);\n ptr = read_u16(ptr, &n, &hdr->num_qn);\n ptr = read_u16(ptr, &n, &hdr->num_ans_rr);\n ptr = read_u16(ptr, &n, &hdr->num_auth_rr);\n ptr = read_u16(ptr, &n, &hdr->num_add_rr);\n return ptr;\n }\n \n\nThe function `mdns_read_header` parses the header, and returns NULL [7] when the message is too small (less than or equal to 12). However, after [4], the code doesn\u2019t check the return value of this function. Since the contents of the `hdr` structures are not reset between each call of `mdns_recv`, the line at [5] is effectively accessing uninitialized data. \nIf `num_entry` is then different from `0` (because of a previous valid mDNS message), the `rr_read` function will be called with `ptr` set to `NULL`. Eventually, `rr_read` will call the `rr_decode` function that will dereference this null pointer at [8], crashing the service.\n \n \n /*\n * Decodes a DN compressed format (RFC 1035)\n * e.g \"\\x03foo\\x03bar\\x00\" gives \"foo.bar\"\n */\n static const uint8_t *\n rr_decode(const uint8_t *ptr, size_t *n, const uint8_t *root, char **ss)\n {\n char *s;\n \n s = *ss = malloc(MDNS_DN_MAXSZ);\n if (!s)\n return (NULL);\n \n if (*ptr == 0) { // [8]\n *s = '\\0';\n advance(1);\n return (ptr);\n }\n ...\n \n\n### Timeline\n\n2020-01-30 - Vendor Disclosure \n2020-03-20 - Vendor Patched \n2020-03-23 - Public Release\n\n##### Credit\n\nDiscovered by Claudio Bozzato of Cisco Talos. \n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-1002\n\nPrevious Report\n\nTALOS-2020-1000\n", "edition": 4, "modified": "2020-03-23T00:00:00", "published": "2020-03-23T00:00:00", "id": "TALOS-2020-1001", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1001", "title": "Videolabs libmicrodns 0.1.0 mdns_recv return value denial-of-service vulnerability", "type": "talos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-01T21:25:19", "bulletinFamily": "info", "cvelist": ["CVE-2020-6072"], "description": "# Talos Vulnerability Report\n\n### TALOS-2020-0995\n\n## Videolabs libmicrodns 0.1.0 rr_decode return value remote code execution vulnerability\n\n##### March 23, 2020\n\n##### CVE Number\n\nCVE-2020-6072 \n\n### Summary\n\nAn exploitable code execution vulnerability exists in the label-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing compressed labels in mDNS messages, the `rr_decode` function\u2019s return value is not checked, leading to a double free that could be exploited to execute arbitrary code. An attacker can send an mDNS message to trigger this vulnerability.\n\n### Tested Versions\n\nVideolabs libmicrodns 0.1.0\n\n### Product URLs\n\n<https://github.com/videolabs/libmicrodns>\n\n### CVSSv3 Score\n\n9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-252: Unchecked Return Value\n\n### Details\n\nThe libmicrodns library is an mDNS resolver that aims to be simple and compatible cross-platform.\n\nThe function `mdns_recv` reads and parses an mDNS message:\n \n \n static int\n mdns_recv(const struct mdns_conn* conn, struct mdns_hdr *hdr, struct rr_entry **entries)\n {\n uint8_t buf[MDNS_PKT_MAXSZ];\n size_t num_entry, n;\n ssize_t length;\n struct rr_entry *entry;\n \n *entries = NULL;\n if ((length = recv(conn->sock, (char *) buf, sizeof(buf), 0)) < 0) // [1]\n return (MDNS_NETERR);\n \n const uint8_t *ptr = mdns_read_header(buf, length, hdr); // [2]\n n = length;\n \n num_entry = hdr->num_qn + hdr->num_ans_rr + hdr->num_add_rr;\n for (size_t i = 0; i < num_entry; ++i) {\n entry = calloc(1, sizeof(struct rr_entry));\n if (!entry)\n goto err;\n ptr = rr_read(ptr, &n, buf, entry, i >= hdr->num_qn); // [3]\n if (!ptr) {\n free(entry);\n errno = ENOSPC;\n goto err;\n }\n entry->next = *entries;\n *entries = entry;\n }\n ...\n }\n \n\nAt [1], a message is read from the network. The 12-bytes mDNS header is then parsed at [2]. Based on the header info, the loop parses each resource record (\u201cRR\u201d) using the function `rr_read` [3], which in turn calls `rr_read_RR` and then `rr_decode`.\n \n \n #define advance(x) ptr += x; *n -= x\n \n /*\n * Decodes a DN compressed format (RFC 1035)\n * e.g \"\\x03foo\\x03bar\\x00\" gives \"foo.bar\"\n */\n static const uint8_t *\n rr_decode(const uint8_t *ptr, size_t *n, const uint8_t *root, char **ss)\n {\n char *s;\n \n s = *ss = malloc(MDNS_DN_MAXSZ);\n if (!s)\n return (NULL);\n \n if (*ptr == 0) {\n *s = '\\0';\n advance(1);\n return (ptr);\n }\n while (*ptr) { // [4]\n size_t free_space;\n uint16_t len;\n \n free_space = *ss + MDNS_DN_MAXSZ - s;\n len = *ptr; // [8]\n advance(1);\n \n /* resolve the offset of the pointer (RFC 1035-4.1.4) */\n if ((len & 0xC0) == 0xC0) { // [5]\n const uint8_t *p;\n char *buf;\n size_t m;\n \n if (*n < sizeof(len)) // [9]\n goto err;\n len &= ~0xC0;\n len = (len << 8) | *ptr;\n advance(1);\n \n p = root + len;\n m = ptr - p + *n; // [6]\n rr_decode(p, &m, root, &buf); // [7]\n if (free_space <= strlen(buf)) { // [10]\n free(buf); // [12]\n goto err;\n }\n (void) strcpy(s, buf);\n free(buf); // [13]\n return (ptr);\n }\n if (*n <= len || free_space <= len) // [11]\n goto err;\n strncpy(s, (const char *) ptr, len);\n advance(len);\n s += len;\n *s++ = (*ptr) ? '.' : '\\0';\n }\n advance(1);\n return (ptr);\n err:\n free(*ss);\n return (NULL);\n }\n \n\nThe function `rr_decode` expects 4 parameters:\n\n * `ptr`: the pointer to the start of the label to parse\n * `n`: the number of remaining bytes in the message, starting from ptr\n * `root`: the pointer to the start of the mDNS message\n * `ss`: buffer used to build the domain name\n\nAt [4] the function loops for each character in the label and, if a pointer is found [5], the pointed label location and its maximum size is computed at [6], and the `rr_decode` function is called recursively [7]. \nFrom this point, the function `rr_decode` could reach the `err` label in 3 different ways:\n\n * by having a compressed label and `*n < sizeof(len)` [9], that is having `*n == 0 || *n == 1`.\n * by having a compressed label with size bigger than the free space available [10].\n * by having `*n < len` (i.e. the label size is bigger than the remaining space in the message) or `free_space <= len` (i.e. the label size is bigger or equal to the remaining space in the `*ss` buffer) [11].\n\nWhen any of those 3 cases are triggered, the code jumps to the `err` label, which frees the `*ss` buffer previously allocated, and returns `NULL`. \nHowever, when the function returns at [7], the `NULL` value returned is not checked, possibly leading to a double-free of the `buf` (`*ss`) buffer at [12] or [13], which could later be exploited by an attacker to execute arbitrary code.\n\n### Timeline\n\n2020-01-30 - Vendor Disclosure \n2020-03-20 - Vendor Patched \n2020-03-23 - Public Release\n\n##### Credit\n\nDiscovered by Claudio Bozzato of Cisco Talos. \n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-0996\n\nPrevious Report\n\nTALOS-2020-0994\n", "edition": 4, "modified": "2020-03-23T00:00:00", "published": "2020-03-23T00:00:00", "id": "TALOS-2020-0995", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-0995", "title": "Videolabs libmicrodns 0.1.0 rr_decode return value remote code execution vulnerability", "type": "talos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:24:56", "bulletinFamily": "info", "cvelist": ["CVE-2020-6073"], "description": "# Talos Vulnerability Report\n\n### TALOS-2020-0996\n\n## Videolabs libmicrodns 0.1.0 TXT record RDATA-parsing denial-of-service vulnerability\n\n##### March 23, 2020\n\n##### CVE Number\n\nCVE-2020-6073\n\n### Summary\n\nAn exploitable denial-of-service vulnerability exists in the TXT record-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing the RDATA section in a TXT record in mDNS messages, multiple integer overflows can be triggered, leading to a denial of service. An attacker can send an mDNS message to trigger this vulnerability.\n\n### Tested Versions\n\nVideolabs libmicrodns 0.1.0\n\n### Product URLs\n\n<https://github.com/videolabs/libmicrodns>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-190: Integer Overflow or Wraparound\n\n### Details\n\nThe libmicrodns library is an mDNS resolver that aims to be simple and compatible cross-platform.\n\nThe function `mdns_recv` reads and parses an mDNS message:\n \n \n static int\n mdns_recv(const struct mdns_conn* conn, struct mdns_hdr *hdr, struct rr_entry **entries)\n {\n uint8_t buf[MDNS_PKT_MAXSZ];\n size_t num_entry, n;\n ssize_t length;\n struct rr_entry *entry;\n \n *entries = NULL;\n if ((length = recv(conn->sock, (char *) buf, sizeof(buf), 0)) < 0) // [1]\n return (MDNS_NETERR);\n \n const uint8_t *ptr = mdns_read_header(buf, length, hdr); // [2]\n n = length;\n \n num_entry = hdr->num_qn + hdr->num_ans_rr + hdr->num_add_rr;\n for (size_t i = 0; i < num_entry; ++i) {\n entry = calloc(1, sizeof(struct rr_entry));\n if (!entry)\n goto err;\n ptr = rr_read(ptr, &n, buf, entry, i >= hdr->num_qn); // [3]\n if (!ptr) {\n free(entry);\n errno = ENOSPC;\n goto err;\n }\n entry->next = *entries;\n *entries = entry;\n }\n ...\n }\n \n\nAt [1], a message is read from the network. The 12-bytes mDNS header is then parsed at [2]. Based on the header info, the loop parses each resource record (\u201cRR\u201d) using the function `rr_read` [3].\n \n \n const uint8_t *\n rr_read(const uint8_t *ptr, size_t *n, const uint8_t *root, struct rr_entry *entry, int8_t ans)\n {\n size_t skip;\n const uint8_t *p;\n \n p = ptr = rr_read_RR(ptr, n, root, entry, ans); // [4]\n if (ans == 0) return ptr;\n \n for (size_t i = 0; i < rr_num; ++i) {\n if (rrs[i].type == entry->type) {\n ptr = (*rrs[i].read)(ptr, n, root, entry); // [5]\n if (!ptr)\n return (NULL);\n break;\n }\n }\n ...\n \n\nThe function `rr_read_RR` [4] reads the current resource record, except for the `RDATA` section. This is read by the loop at [5]. For each `RR` type, a different function is called. When the `RR` type is 0x10, the function `rr_read_TXT` is called at [5].\n \n \n #define advance(x) ptr += x; *n -= x\n \n static const uint8_t *\n rr_read_TXT(const uint8_t *ptr, size_t *n, const uint8_t *root, struct rr_entry *entry)\n {\n union rr_data *data = &entry->data;\n uint16_t len = entry->data_len; // [8]\n uint8_t l;\n \n if (*n == 0 || *n < len)\n return (NULL);\n \n for (; len > 0; len -= l + 1) { // [9]\n struct rr_data_txt *text;\n \n memcpy(&l, ptr, sizeof(l)); // [6]\n advance(1);\n if (*n < l)\n return (NULL);\n text = malloc(sizeof(struct rr_data_txt));\n if (!text)\n return (NULL);\n text->next = data->TXT;\n data->TXT = text;\n if (l > 0)\n memcpy(text->txt, ptr, l); // [7]\n text->txt[l] = '\\0';\n advance(l); // [10]\n }\n return (ptr);\n }\n \n\nThis function expects four parameters:\n\n * `ptr`: the pointer to the start of the label to parse\n * `n`: the number of remaining bytes in the message, starting from ptr\n * `root`: the pointer to the start of the mDNS message\n * `entry`: the entry struct, containing the parsed resource record\n\nThe function is supposed to extract each variable-length string from the `RDATA` section. In this case, it extracts a length in position 0 [6], and copies the data found in `text->txt` [7]. During this parsing, `*n` and `len` are decremented accordingly. In this loop, `len` tracks the number of characters left to read in the same RDATA section, as previously declared in the `data_len` field [8].\n\nHowever, note that both `*n` and `len` are unsigned integers. This means that the loop will only stop when `len` is exactly equal to 0, or when `*n` is less than the length read in `RDATA`.\n\nAlso note that the `advance` macro is moving `ptr` forward and decrements `*n` (the number of bytes left in the packet) accordingly.\n\nSo, by making `l` at [6] equal to `*n`, and having at the same time `len` less than or equal to `l`, will cause `*n` to be 0 after [10], since we advance by `l`. Right after this, `len` overflows because `l` is bigger than `len`, making the loop itself cycle indefinitely. Then, a new `l` is read at [6], and `advance` is called again, making `*n` overflow. At this point both `*n` and `len` are overflown and the program will eventually crash with an out-of-bounds read at [7] or [6].\n\n### Timeline\n\n2020-01-30 - Vendor Disclosure \n2020-03-20 - Vendor Patched \n2020-03-23 - Public Release\n\n##### Credit\n\nDiscovered by Claudio Bozzato of Cisco Talos. \n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-1018\n\nPrevious Report\n\nTALOS-2020-0995\n", "edition": 4, "modified": "2020-03-23T00:00:00", "published": "2020-03-23T00:00:00", "id": "TALOS-2020-0996", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-0996", "title": "Videolabs libmicrodns 0.1.0 TXT record RDATA-parsing denial-of-service vulnerability", "type": "talos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-01T21:25:00", "bulletinFamily": "info", "cvelist": ["CVE-2020-6071"], "description": "# Talos Vulnerability Report\n\n### TALOS-2020-0994\n\n## Videolabs libmicrodns 0.1.0 resource record recursive label uncompression denial-of-service vulnerability\n\n##### March 23, 2020\n\n##### CVE Number\n\nCVE-2020-6071 \n\n### Summary\n\nAn exploitable denial-of-service vulnerability exists in the resource record-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing compressed labels in mDNS messages, the compression pointer is followed without checking for recursion, leading to a denial of service. An attacker can send an mDNS message to trigger this vulnerability.\n\n### Tested Versions\n\nVideolabs libmicrodns 0.1.0\n\n### Product URLs\n\n<https://github.com/videolabs/libmicrodns>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-674: Uncontrolled Recursion\n\n### Details\n\nThe libmicrodns library is an mDNS resolver that aims to be simple and compatible cross-platform.\n\nThe function `mdns_recv` reads and parses an mDNS message:\n \n \n static int\n mdns_recv(const struct mdns_conn* conn, struct mdns_hdr *hdr, struct rr_entry **entries)\n {\n uint8_t buf[MDNS_PKT_MAXSZ];\n size_t num_entry, n;\n ssize_t length;\n struct rr_entry *entry;\n \n *entries = NULL;\n if ((length = recv(conn->sock, (char *) buf, sizeof(buf), 0)) < 0) // [1]\n return (MDNS_NETERR);\n \n const uint8_t *ptr = mdns_read_header(buf, length, hdr); // [2]\n n = length;\n \n num_entry = hdr->num_qn + hdr->num_ans_rr + hdr->num_add_rr;\n for (size_t i = 0; i < num_entry; ++i) {\n entry = calloc(1, sizeof(struct rr_entry));\n if (!entry)\n goto err;\n ptr = rr_read(ptr, &n, buf, entry, i >= hdr->num_qn); // [3]\n if (!ptr) {\n free(entry);\n errno = ENOSPC;\n goto err;\n }\n entry->next = *entries;\n *entries = entry;\n }\n ...\n }\n \n\nAt [1], a message is read from the network. The 12-byte mDNS header is then parsed at [2]. Based on the header info, the loop parses each resource record (\u201cRR\u201d) using the function `rr_read` [3], which in turn calls `rr_read_RR` and then `rr_decode`.\n \n \n #define advance(x) ptr += x; *n -= x\n \n /*\n * Decodes a DN compressed format (RFC 1035)\n * e.g \"\\x03foo\\x03bar\\x00\" gives \"foo.bar\"\n */\n static const uint8_t *\n rr_decode(const uint8_t *ptr, size_t *n, const uint8_t *root, char **ss)\n {\n char *s;\n \n s = *ss = malloc(MDNS_DN_MAXSZ);\n if (!s)\n return (NULL);\n \n if (*ptr == 0) {\n *s = '\\0';\n advance(1);\n return (ptr);\n }\n while (*ptr) { // [4]\n size_t free_space;\n uint16_t len;\n \n free_space = *ss + MDNS_DN_MAXSZ - s;\n len = *ptr;\n advance(1);\n \n /* resolve the offset of the pointer (RFC 1035-4.1.4) */\n if ((len & 0xC0) == 0xC0) { // [5]\n const uint8_t *p;\n char *buf;\n size_t m;\n \n if (*n < sizeof(len))\n goto err;\n len &= ~0xC0;\n len = (len << 8) | *ptr;\n advance(1);\n \n p = root + len;\n m = ptr - p + *n; // [6]\n rr_decode(p, &m, root, &buf); // [7]\n ...\n \n\nThe function `rr_decode` expects four parameters:\n\n * `ptr`: the pointer to the start of the label to parse\n * `n`: the number of remaining bytes in the message, starting from ptr\n * `root`: the pointer to the start of the mDNS message\n * `ss`: buffer used to build the domain name\n\nAt [4], the function loops for each character in the label and, if a pointer is found [5], the pointed label location and its maximum size is computed at [6], and the `rr_decode` function is called recursively [7].\n\nSince there are no recursion checks, an attacker could send a message with a label which uses a pointer to point to itself, triggering an infinite recursion and exhausting the program\u2019s stack, leading to a denial of service.\n\n### Timeline\n\n2020-01-30 - Vendor Disclosure \n \n2020-03-20 - Vendor Patched \n2020-03-23 - Public Release\n\n##### Credit\n\nDiscovered by Claudio Bozzato of Cisco Talos. \n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-0995\n\nPrevious Report\n\nTALOS-2019-0966\n", "edition": 5, "modified": "2020-03-23T00:00:00", "published": "2020-03-23T00:00:00", "id": "TALOS-2020-0994", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-0994", "title": "Videolabs libmicrodns 0.1.0 resource record recursive label uncompression denial-of-service vulnerability", "type": "talos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-01T21:25:26", "bulletinFamily": "info", "cvelist": ["CVE-2020-6077"], "description": "# Talos Vulnerability Report\n\n### TALOS-2020-1000\n\n## Videolabs libmicrodns 0.1.0 message-parsing bounds denial-of-service vulnerability\n\n##### March 23, 2020\n\n##### CVE Number\n\nCVE-2020-6077\n\n### Summary\n\nAn exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing mDNS messages, the implementation does not properly keep track of the available data in the message, possibly leading to an out-of-bounds read that would result in a denial of service. An attacker can send an mDNS message to trigger this vulnerability.\n\n### Tested Versions\n\nVideolabs libmicrodns 0.1.0\n\n### Product URLs\n\n<https://github.com/videolabs/libmicrodns>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer\n\n### Details\n\nThe libmicrodns library is an mDNS resolver that aims to be simple and compatible cross-platform.\n\nThe function `mdns_recv` reads and parses an mDNS message:\n \n \n static int\n mdns_recv(const struct mdns_conn* conn, struct mdns_hdr *hdr, struct rr_entry **entries)\n {\n uint8_t buf[MDNS_PKT_MAXSZ];\n size_t num_entry, n;\n ssize_t length;\n struct rr_entry *entry;\n \n *entries = NULL;\n if ((length = recv(conn->sock, (char *) buf, sizeof(buf), 0)) < 0) // [1]\n return (MDNS_NETERR);\n \n const uint8_t *ptr = mdns_read_header(buf, length, hdr); // [2]\n n = length;\n \n num_entry = hdr->num_qn + hdr->num_ans_rr + hdr->num_add_rr;\n for (size_t i = 0; i < num_entry; ++i) {\n entry = calloc(1, sizeof(struct rr_entry));\n if (!entry)\n goto err;\n ptr = rr_read(ptr, &n, buf, entry, i >= hdr->num_qn); // [3]\n if (!ptr) {\n free(entry);\n errno = ENOSPC;\n goto err;\n }\n entry->next = *entries;\n *entries = entry;\n }\n ...\n }\n \n\nAt [1], a message is read from the network. The 12-bytes mDNS header is then parsed at [2]. Based on the header info, the loop parses each resource record (\u201cRR\u201d) using the function `rr_read` [3], which in turn calls `rr_read_RR` and then `rr_decode`.\n \n \n #define advance(x) ptr += x; *n -= x\n \n /*\n * Decodes a DN compressed format (RFC 1035)\n * e.g \"\\x03foo\\x03bar\\x00\" gives \"foo.bar\"\n */\n static const uint8_t *\n rr_decode(const uint8_t *ptr, size_t *n, const uint8_t *root, char **ss)\n {\n char *s;\n \n s = *ss = malloc(MDNS_DN_MAXSZ);\n if (!s)\n return (NULL);\n \n if (*ptr == 0) { // [9]\n *s = '\\0';\n advance(1);\n return (ptr);\n }\n while (*ptr) { // [4]\n size_t free_space;\n uint16_t len;\n \n free_space = *ss + MDNS_DN_MAXSZ - s;\n len = *ptr;\n advance(1);\n \n /* resolve the offset of the pointer (RFC 1035-4.1.4) */\n if ((len & 0xC0) == 0xC0) {\n const uint8_t *p;\n char *buf;\n size_t m;\n \n if (*n < sizeof(len)) // [5]\n goto err;\n len &= ~0xC0;\n len = (len << 8) | *ptr;\n advance(1);\n \n p = root + len; // [8]\n m = ptr - p + *n; // [6]\n rr_decode(p, &m, root, &buf);\n if (free_space <= strlen(buf)) {\n free(buf);\n goto err;\n }\n (void) strcpy(s, buf);\n free(buf);\n return (ptr);\n }\n if (*n <= len || free_space <= len) // [7]\n goto err;\n strncpy(s, (const char *) ptr, len);\n advance(len);\n s += len;\n *s++ = (*ptr) ? '.' : '\\0'; // [10]\n }\n advance(1);\n return (ptr);\n err:\n free(*ss);\n return (NULL);\n }\n \n\nThe function `rr_decode` expects 4 parameters:\n\n * `ptr`: the pointer to the start of the label to parse\n * `n`: the number of remaining bytes in the message, starting from ptr\n * `root`: the pointer to the start of the mDNS message\n * `ss`: buffer used to build the domain name\n\nThe task of this function is to parse a domain name in a given resource record, according to RFC 1035. \nTo walk through the message, the `advance` macro is used to move `ptr` forward and to decrement `*n` (the number of bytes left in the message) accordingly. \nAlso note how the code relies on the value of `*n` to make decisions [5] [6] [7] about the loop [4] termination.\n\nIn the code above, the comparison at [5] is performed incorrectly. Because of the `sizeof`, the code checks if `*n` is either `0` or `1`. This means that the pointer `p` at [8] can point from `root` up to `root + 16383`. The function would then call recursively, reading out of bounds and possibly crashing at [9] or [10] when dereferencing `ptr`.\n\nAdditionally, before `rr_decode` is called, the function `mdns_read_header` [2] parses the mDNS header:\n \n \n static const uint8_t *\n mdns_read_header(const uint8_t *ptr, size_t n, struct mdns_hdr *hdr)\n {\n if (n <= sizeof(struct mdns_hdr)) {\n errno = ENOSPC;\n return NULL;\n }\n ptr = read_u16(ptr, &n, &hdr->id);\n ptr = read_u16(ptr, &n, &hdr->flags);\n ptr = read_u16(ptr, &n, &hdr->num_qn);\n ptr = read_u16(ptr, &n, &hdr->num_ans_rr);\n ptr = read_u16(ptr, &n, &hdr->num_auth_rr);\n ptr = read_u16(ptr, &n, &hdr->num_add_rr);\n return ptr;\n }\n \n\nThe function `read_u16` takes care of reading a 2-bytes unsigned integer, and decrementing `n` accordingly [11]:\n \n \n static inline const uint8_t *read_u16(const uint8_t *p, size_t *s, uint16_t *v)\n {\n *v = 0;\n *v |= *p++ << 8;\n *v |= *p++ << 0;\n *s -= 2; // [11]\n return (p);\n }\n \n\nHowever, as we can see from the definition of `mdns_read_header` and the way it\u2019s called [12], `n` is passed to `mdns_read_header` by value rather than by reference, losing any modification performed by `read_u16`.\n \n \n static int\n mdns_recv(const struct mdns_conn* conn, struct mdns_hdr *hdr, struct rr_entry **entries)\n {\n uint8_t buf[MDNS_PKT_MAXSZ];\n size_t num_entry, n;\n ssize_t length;\n struct rr_entry *entry;\n \n *entries = NULL;\n if ((length = recv(conn->sock, (char *) buf, sizeof(buf), 0)) < 0)\n return (MDNS_NETERR);\n \n const uint8_t *ptr = mdns_read_header(buf, length, hdr); // [12]\n n = length;\n \n\nThis makes the `*n` value to be 0xC bytes (the header size) bigger than it should. While, in absence of other bugs, this last issue alone may not cause a direct impact on the service, it may be used together with the first bug presented in this advisory in order to evade detection.\n\nFinally, while this bug alone would result in a simple denial-of-service, because of other bugs in the code, it may be used to trigger the same double-free that was reported in TALOS-2020-0995.\n\n### Timeline\n\n2020-01-30 - Vendor Disclosure \n2020-03-20 - Vendor Patched \n2020-03-23 - Public Release\n\n##### Credit\n\nDiscovered by Claudio Bozzato of Cisco Talos\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-1001\n\nPrevious Report\n\nTALOS-2020-1018\n", "edition": 4, "modified": "2020-03-23T00:00:00", "published": "2020-03-23T00:00:00", "id": "TALOS-2020-1000", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1000", "title": "Videolabs libmicrodns 0.1.0 message-parsing bounds denial-of-service vulnerability", "type": "talos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}