Re: avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)

To: debian-security@lists.debian.org
Cc: submit@bugs.debian.org, debian-security@lists.debian.org
Subject: Re: avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)
From: Yann Castells <yann.castells@gmail.com>
Date: Wed, 23 Feb 2011 14:19:51 +0100
Message-id: <[🔎] 70CC9D59-5AEE-43C8-BB4B-568F3C412C73@gmail.com>
In-reply-to: <[🔎] 1298464572.5372.26.camel@localhost>
References: <[🔎] 1298464572.5372.26.camel@localhost>

I can confirm this.

Am 23.02.2011 um 13:36 schrieb Alexander Kurtz:

> Package: avahi-daemon
> Version: 0.6.27-2
> Tags: security
> Severity: critical
> Justification: Introduces possible denial-of-service scenario.
> 
> Hi,
> 
> when I scan my server from another machine on the network using nmap, I
> get this:
> 
> 	# nmap -sU -p5353 192.168.2.2
> 
> 	Starting Nmap 5.00 ( http://nmap.org ) at 2011-02-23 13:15 CET
> 	Interesting ports on 192.168.2.2:
> 	PORT     STATE         SERVICE
> 	5353/udp open|filtered zeroconf
> 	MAC Address: XX:XX:XX:XX:XX:XX (Netgear)
> 
> 	Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
> 	# 
> 
> As soon as the scan starts, avahi-daemon on the server starts running
> amok, top shows this: 
> 
> 	  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
> 	 5535 avahi     20   0 33884 1600 1280 R  100  0.0   2:28.47 avahi-daemon
> 
> Restarting avahi-daemon is not possible: 
> 
> 	# /etc/init.d/avahi-daemon restart
> 	Restarting Avahi mDNS/DNS-SD Daemon: avahi-daemonFailed to kill daemon: Timer expired
> 	.
> 	#
> 
> Simply terminating the process doesn't work either: 
> 
> 	# ps -Af | grep avahi-daemon
> 	avahi     5535     1 87 13:14 ?        00:04:43 avahi-daemon: running [server.local]
> 	avahi     5536  5535  0 13:14 ?        00:00:00 avahi-daemon: chroot helper
> 	root      5610  5581  0 13:20 pts/2    00:00:00 grep avahi-daemon
> 	# kill 5535
> 	# ps -Af | grep avahi-daemon
> 	avahi     5535     1 88 13:14 ?        00:05:02 avahi-daemon: running [server.local]
> 	avahi     5536  5535  0 13:14 ?        00:00:00 avahi-daemon: chroot helper
> 	root      5614  5581  0 13:20 pts/2    00:00:00 grep avahi-daemon
> 	#
> 
> Forcibly killing the process works:
> 
> 	# kill -9 5535
> 	# ps -Af | grep avahi-daemon
> 	root      5629  5581  0 13:23 pts/2    00:00:00 grep avahi-daemon
> 	# 
> 
> I don't know what kind of data nmap sends when scanning for open UDP
> ports, but it definitely shouldn't cause avahi-daemon to run amok.
> 
> Please note that I have not changed the Avahi configuration in any way,
> so you should be able to reproduce this easily. Please tell me if you
> need any more information!
> 
> Best regards
> 
> Alexander Kurtz

Attachment: PGP.sig
Description: Signierter Teil der Nachricht

Reply to:

References:
- avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)
  - From: Alexander Kurtz <kurtz.alex@googlemail.com>

Prev by Date: avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)
Next by Date: Re: [SECURITY] [DSA-2158-1] cgiirc security update
Previous by thread: avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)
Next by thread: Re: avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)
Index(es):
- Date
- Thread