Sign-up

ID

VAR-201504-0248


CVE

CVE-2015-2809


TITLE

Multicast DNS (mDNS) implementations may respond to unicast queries originating outside the local link

Trust: 0.8

sources: CERT/CC: VU#550620

DESCRIPTION

The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component. Multicast DNS implementations may respond to unicast queries that originate from sources outside of the local link network. Such responses may disclose information about network devices or be used in denial-of-service (DoS) amplification attacks. Multiple products are prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information or crash the system, resulting in a denial-of-service condition. Other attacks are also possible. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information

Trust: 2.7

sources: NVD: CVE-2015-2809 // CERT/CC: VU#550620 // JVNDB: JVNDB-2015-002046 // BID: 73683 // VULHUB: VHN-80770

AFFECTED PRODUCTS

vendor:synologymodel:diskstation managerscope:lteversion:3.0

Trust: 1.0

vendor:avahi mdnsmodel: - scope: - version: -

Trust: 0.8

vendor:canonmodel: - scope: - version: -

Trust: 0.8

vendor:hewlett packardmodel: - scope: - version: -

Trust: 0.8

vendor:ibmmodel: - scope: - version: -

Trust: 0.8

vendor:synologymodel: - scope: - version: -

Trust: 0.8

vendor:synologymodel:diskstation managerscope:ltversion:3.1

Trust: 0.8

vendor:synologymodel:diskstation managerscope:eqversion:3.0

Trust: 0.6

vendor:hpmodel:color laserjetscope:eqversion:47000

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.26

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.25

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.24

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.23

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.20

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.16

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.15

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.13

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.11

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.10

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.9

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.8

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.6.7

Trust: 0.3

vendor:avahimodel:avahiscope:eqversion:0.5.2

Trust: 0.3

sources: CERT/CC: VU#550620 // BID: 73683 // JVNDB: JVNDB-2015-002046 // CNNVD: CNNVD-201503-655 // NVD: CVE-2015-2809

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-2809
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-2809
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201503-655
value: MEDIUM

Trust: 0.6

VULHUB: VHN-80770
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-2809
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-80770
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-80770 // JVNDB: JVNDB-2015-002046 // CNNVD: CNNVD-201503-655 // NVD: CVE-2015-2809

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-80770 // JVNDB: JVNDB-2015-002046 // NVD: CVE-2015-2809

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201503-655

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201503-655

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-002046

PATCH
title:DiskStation Manager 5.1url:https://www.synology.com/en-global/dsm/
Trust: 0.8
title:DSM_RS3411xs_1760url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54792
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-002046 // 
            
            
            
            CNNVD: CNNVD-201503-655

EXTERNAL IDS
db:CERT/CCid:VU#550620
Trust: 3.3
db:NVDid:CVE-2015-2809
Trust: 2.8
db:BIDid:73683
Trust: 1.4
db:JVNid:JVNVU98589419
Trust: 0.8
db:JVNDBid:JVNDB-2015-002046
Trust: 0.8
db:CNNVDid:CNNVD-201503-655
Trust: 0.7
db:VULHUBid:VHN-80770
Trust: 0.1
sources:
            
            
            CERT/CC: VU#550620 // 
            
            
            
            VULHUB: VHN-80770 // 
            
            
            
            BID: 73683 // 
            
            
            
            JVNDB: JVNDB-2015-002046 // 
            
            
            
            CNNVD: CNNVD-201503-655 // 
            
            
            
            NVD: CVE-2015-2809

REFERENCES
url:http://www.kb.cert.org/vuls/id/550620
Trust: 2.5
url:http://www.kb.cert.org/vuls/id/bluu-9tlshd
Trust: 2.5
url:https://github.com/chadillac/mdns_recon
Trust: 1.6
url:http://www.securityfocus.com/bid/73683
Trust: 1.1
url:http://www.ietf.org/rfc/rfc6762.txt
Trust: 0.8
url:https://www.usa.canon.com/cusa/support/consumer?pagekeycode=prdadvdetail&docid=0901e02480ea9d5d
Trust: 0.8
url:http://www-01.ibm.com/support/docview.wss?uid=swg21699497
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2809
Trust: 0.8
url:http://jvn.jp/vu/jvnvu98589419/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2809
Trust: 0.8
url:https://tools.ietf.org/html/rfc6762#section-5.5
Trust: 0.8
url:http://lists.freedesktop.org/archives/avahi/2010-november/001952.html
Trust: 0.8
url:http://www.ibm.com/
Trust: 0.3
sources:
            
            
            CERT/CC: VU#550620 // 
            
            
            
            VULHUB: VHN-80770 // 
            
            
            
            BID: 73683 // 
            
            
            
            JVNDB: JVNDB-2015-002046 // 
            
            
            
            CNNVD: CNNVD-201503-655 // 
            
            
            
            NVD: CVE-2015-2809

CREDITS
Chad Seaman
Trust: 0.3
sources:
            
            
            BID: 73683

SOURCES
db:CERT/CCid:VU#550620
db:VULHUBid:VHN-80770
db:BIDid:73683
db:JVNDBid:JVNDB-2015-002046
db:CNNVDid:CNNVD-201503-655
db:NVDid:CVE-2015-2809

LAST UPDATE DATE
2024-11-23T21:44:19.192000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#550620date:2015-05-15T00:00:00
db:VULHUBid:VHN-80770date:2016-07-29T00:00:00
db:BIDid:73683date:2015-05-15T00:14:00
db:JVNDBid:JVNDB-2015-002046date:2015-04-06T00:00:00
db:CNNVDid:CNNVD-201503-655date:2015-04-02T00:00:00
db:NVDid:CVE-2015-2809date:2024-11-21T02:28:07.560

SOURCES RELEASE DATE
db:CERT/CCid:VU#550620date:2015-03-31T00:00:00
db:VULHUBid:VHN-80770date:2015-04-01T00:00:00
db:BIDid:73683date:2015-03-31T00:00:00
db:JVNDBid:JVNDB-2015-002046date:2015-04-06T00:00:00
db:CNNVDid:CNNVD-201503-655date:2015-03-31T00:00:00
db:NVDid:CVE-2015-2809date:2015-04-01T02:00:35.970