CVE-2008-5081
published 2008-12-17CVE-2008-5081: The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial…
PriorityP342medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
59.22%
99.0th percentile
The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure.
Affected
41 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| avahi | avahi | <= 0.6.23 | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
| avahi | avahi | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for raw IP packets with IP ID field set to 0xdead (htons(0xdead)) targeting UDP/5353, which is a fingerprint of the public PoC exploit. ↗
- →Monitor avahi-daemon process for unexpected abort/crash signals, particularly assertion failures in originates_from_local_legacy_unicast_socket(), as a sign of active exploitation. ↗
- →The Metasploit auxiliary module auxiliary/dos/mdns/avahi_portzero can be used to validate exposure; presence of this module in logs indicates active exploitation attempts. ↗
- ·Only avahi-daemon versions prior to 0.6.24 are vulnerable; systems running 0.6.24 or later are not affected by this specific assertion failure. ↗
- ·CVE-2010-2244 is a distinct but related avahi-daemon DoS (invalid checksum assertion in avahi-core/socket.c) affecting versions 0.6.16 and 0.6.25; do not conflate with CVE-2008-5081 detections. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
vendor_ubuntu2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vxxg-j26r-33g8: The AvahiDnsPacket function in avahi-core/socket
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2010-2244 [MEDIUM] GHSA-vxxg-j26r-33g8: The AvahiDnsPacket function in avahi-core/socket
The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in Avahi 0.6.16 and 0.6.25 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNS packet with an invalid checksum followed by a DNS packet with a valid checksum, a different vulnerability than CVE-2008-5081.
GHSA
GHSA-r2cw-w385-f36j: The originates_from_local_legacy_unicast_socket function (avahi-core/server
ghsa_unreviewed·2022-05-17
CVE-2008-5081 [MEDIUM] GHSA-r2cw-w385-f36j: The originates_from_local_legacy_unicast_socket function (avahi-core/server
The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure.
OSV
CVE-2010-2244: The AvahiDnsPacket function in avahi-core/socket
osv·2010-07-08·CVSS 5.0
CVE-2010-2244 [MEDIUM] CVE-2010-2244: The AvahiDnsPacket function in avahi-core/socket
The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in Avahi 0.6.16 and 0.6.25 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNS packet with an invalid checksum followed by a DNS packet with a valid checksum, a different vulnerability than CVE-2008-5081.
OSV
CVE-2008-5081: The originates_from_local_legacy_unicast_socket function (avahi-core/server
osv·2008-12-17·CVSS 5.0
CVE-2008-5081 [MEDIUM] CVE-2008-5081: The originates_from_local_legacy_unicast_socket function (avahi-core/server
The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure.
Red Hat
avahi: assertion failure after receiving a packet with corrupted checksum
vendor_redhat·2010-06-23·CVSS 5.0
CVE-2010-2244 [MEDIUM] avahi: assertion failure after receiving a packet with corrupted checksum
avahi: assertion failure after receiving a packet with corrupted checksum
The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in Avahi 0.6.16 and 0.6.25 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNS packet with an invalid checksum followed by a DNS packet with a valid checksum, a different vulnerability than CVE-2008-5081.
Package: avahi (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2010-2244: avahi - The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in Avahi 0.6....
vendor_debian·2010·CVSS 5.0
CVE-2010-2244 [MEDIUM] CVE-2010-2244: avahi - The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in Avahi 0.6....
The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in Avahi 0.6.16 and 0.6.25 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNS packet with an invalid checksum followed by a DNS packet with a valid checksum, a different vulnerability than CVE-2008-5081.
Scope: local
bookworm: resolved (fixed in 0.6.26-1)
bullseye: resolved (fixed in 0.6.26-1)
forky: resolved (fixed in 0.6.26-1)
sid: resolved (fixed in 0.6.26-1)
trixie: resolved (fixed in 0.6.26-1)
Ubuntu
Avahi vulnerabilities
vendor_ubuntu·2008-12-18·CVSS 2.1
CVE-2007-3372 [LOW] Avahi vulnerabilities
Title: Avahi vulnerabilities
Summary: Avahi vulnerabilities
Emanuele Aina discovered that Avahi did not properly validate its input when
processing data over D-Bus. A local attacker could send an empty TXT message
via D-Bus and cause a denial of service (failed assertion). This issue only
affected Ubuntu 6.06 LTS. (CVE-2007-3372)
Hugo Dias discovered that Avahi did not properly verify its input when
processing mDNS packets. A remote attacker could send a crafted mDNS packet
and cause a denial of service (assertion failure). (CVE-2008-5081)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
avahi: avahi-daemon DoS (application abort) via packet with source port 0
vendor_redhat·2008-12-12·CVSS 5.0
CVE-2008-5081 [MEDIUM] avahi: avahi-daemon DoS (application abort) via packet with source port 0
avahi: avahi-daemon DoS (application abort) via packet with source port 0
The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure.
Debian
CVE-2008-5081: avahi - The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) i...
vendor_debian·2008·CVSS 5.0
CVE-2008-5081 [MEDIUM] CVE-2008-5081: avahi - The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) i...
The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure.
Scope: local
bookworm: resolved (fixed in 0.6.23-3)
bullseye: resolved (fixed in 0.6.23-3)
forky: resolved (fixed in 0.6.23-3)
sid: resolved (fixed in 0.6.23-3)
trixie: resolved (fixed in 0.6.23-3)
No detection rules found.
Exploit-DB
Avahi < 0.6.24 - mDNS Daemon Remote Denial of Service
exploitdb·2008-12-19·CVSS 5.0
CVE-2008-5081 [MEDIUM] Avahi < 0.6.24 - mDNS Daemon Remote Denial of Service
Avahi
* http://jon.oberheide.org
*
* Usage:
*
* gcc cve-2008-5081.c -ldnet -o cve-2008-5081
* ./cve-2008-5081 1.2.3.4
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5081
*
* Crafted mDNS packet with source port 0 can cause avahi-daemon
* to abort() due to failed assertion assert(port > 0); in
* originates_from_local_legacy_unicast_socket() function in
* avahi-core/server.c.
*
*/
#include
#include
#include
#include
int
main(int argc, char **argv)
{
ip_t *sock;
intf_t *intf;
struct addr dst;
struct ip_hdr *ip;
struct udp_hdr *udp;
struct intf_entry entry;
int len = IP_HDR_LEN + UDP_HDR_LEN;
char buf[len];
if (argc ip_v = 4;
ip->ip_hl = 5;
ip->ip_tos = 0;
ip->ip_off = 0;
ip->ip_sum = 0;
ip->ip_ttl = IP_TTL_MAX;
ip->ip_p = IP_PROTO_UDP;
ip->ip_id = htons(0xdead)
Metasploit
Avahi Source Port 0 DoS
metasploit
Avahi Source Port 0 DoS
Avahi Source Port 0 DoS
Avahi-daemon versions prior to 0.6.24 can be DoS'd with an mDNS packet with a source port of 0.
Bugzilla
CVE-2010-2244 avahi: assertion failure after receiving a packet with corrupted checksum
bugzilla·2010-06-23·CVSS 5.0
CVE-2010-2244 [MEDIUM] CVE-2010-2244 avahi: assertion failure after receiving a packet with corrupted checksum
CVE-2010-2244 avahi: assertion failure after receiving a packet with corrupted checksum
Ludwig Nussel reported:
[1] http://www.openwall.com/lists/oss-security/2010/06/23/4
a deficiency in the way avahi daemon processed packets with corrupted
checksum(s). A remote attacker on the same local are network (LAN)
could send a DNS packet with broken checksum, that would cause avahi-daemon
to exit unexpectedly due to a failed assertion check. Different vulnerability
than CVE-2008-5081.
Discussion:
Created attachment 426335
Proposed patch by Ludwig Nussel (from [1])
---
Created avahi tracking bugs for this issue
Affects: fedora-all [bug 607297]
---
This has been assigned CVE-2010-2244.
---
Lennart, have you had a chance to review the patch Ludwig provided to fix this yet?
---
This issu
Bugzilla
CVE-2008-5081 avahi: avahi-daemon DoS (application abort) via packet with source port 0
bugzilla·2008-12-11·CVSS 5.0
CVE-2008-5081 [MEDIUM] CVE-2008-5081 avahi: avahi-daemon DoS (application abort) via packet with source port 0
CVE-2008-5081 avahi: avahi-daemon DoS (application abort) via packet with source port 0
Hugo Dias of the Synchron Security Labs discovered a remote denial of service flaw in the avahi daemon. A crafted multicast DNS (mDNS) packet with source port 0 can trigger assertion in originates_from_local_legacy_unicast_socket() function in avahi-core/server.c -- assert(port > 0); -- causing the daemon to call abort() and exit unexpectedly.
Scope of this attack is usually limited to a single LAN.
Discussion:
Public now via new upstream release 0.6.24:
http://avahi.org/milestone/Avahi%200.6.24
Upstream patch:
http://git.0pointer.de/?p=avahi.git;a=commitdiff;h=3093047f1aa36bed8a37fa79004bf0ee287929f4
---
avahi-0.6.22-12.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproje
http://avahi.org/milestone/Avahi%200.6.24http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.htmlhttp://secunia.com/advisories/33153http://secunia.com/advisories/33220http://secunia.com/advisories/33279http://secunia.com/advisories/33475http://security.gentoo.org/glsa/glsa-200901-11.xmlhttp://www.debian.org/security/2008/dsa-1690http://www.openwall.com/lists/oss-security/2008/12/14/1http://www.securityfocus.com/bid/32825http://www.ubuntu.com/usn/usn-696-1https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9987https://www.exploit-db.com/exploits/7520http://avahi.org/milestone/Avahi%200.6.24http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.htmlhttp://secunia.com/advisories/33153http://secunia.com/advisories/33220http://secunia.com/advisories/33279http://secunia.com/advisories/33475http://security.gentoo.org/glsa/glsa-200901-11.xmlhttp://www.debian.org/security/2008/dsa-1690http://www.openwall.com/lists/oss-security/2008/12/14/1http://www.securityfocus.com/bid/32825http://www.ubuntu.com/usn/usn-696-1https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9987https://www.exploit-db.com/exploits/7520
2008-12-17
Published