Security Advisory - mDNS Message Improper Handling Vulnerability in Huawei WLAN AC Products
- SA No:Huawei-SA-20150909-01-mDNS
- Initial Release Date: 2015-09-09
- Last Release Date: 2015-09-09
The mDNS module in Huawei WLAN AC products improperly processes mDNS packets and responds to mDNS unicast queries from outside the link local network (e.g., the WAN), leading to information leaks.(Vulnerability ID: HWPSIRT-2015-03024)
The CVE No. of the vulnerability is CVE-2015-6586.
The CVE No. of the vulnerability is CVE-2015-6586.
|
Product Name |
Affected Version |
Fixed Version |
|
WLAN AC6005/AC6605/ACU2 |
V200R005C00 |
Upgrade to V200R006C00SPC100 |
|
V200R005C10 |
||
|
V200R006C00 |
V200R006C00SPC100 |
By exploiting the vulnerability, an attacker could obtain some information of the WLAN AC device.
The severity of the vulnerabilities in this advisory has been assessed by the Common Vulnerability Scoring System Version 2.0 (http://www.first.org/cvss/).
Base score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Temporal score: 4.1 (E:F/RL:O/RC:C)
Base score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Temporal score: 4.1 (E:F/RL:O/RC:C)
1. This vulnerability can be exploited only when the following condition is present:
The attacker can access the WLAN AC device.
2. Attack procedure:
The attacker initiates a unicast query from outside the link local network.
The attacker can access the WLAN AC device.
2. Attack procedure:
The attacker initiates a unicast query from outside the link local network.
Scenario 1: Disable the mDNS function.
Run commands to disable the mDNS replay and mDNS gateway functions separately.
undo mdns relay enable //Disable the mDNS replay function.
undo mdns gateway enable //Disable the mDNS gateway function.
Scenario 2: Configure an ACL to discard mDNS packets received at the WAN interface, so that the device processes only link local mDNS packets. The configuration process is as follows:
traffic classifier mdns operator or //Create a flow class and access its view.
if-match acl 3000 //Create an ACL for classifying traffic and set an ACL ID.
acl number 3000 //Create an ACL group.
rule 1 deny udp destination-port eq 5353 //Configure an ACL rule to discard mDNS packets.
traffic behavior mdns //Create a traffic behavior and access its view.
deny //Block service traffic that matches the specific rule.
traffic policy mdns //Create a traffic policy.
classifier mdns behavior mdns //In the traffic policy, set a traffic behavior for the traffic class. That is, bind the traffic class with the traffic behavior.
interface GigabitEthernet0/0/23 //Access the WAN interface view.
port link-type access //Configure the link type of the interface.
port default vlan 123 //Configure a default VLAN and add the interface to the VLAN.
traffic-policy mdns inbound //Apply the policy to the WAN interface to discard mDNS packets.
Run commands to disable the mDNS replay and mDNS gateway functions separately.
undo mdns relay enable //Disable the mDNS replay function.
undo mdns gateway enable //Disable the mDNS gateway function.
Scenario 2: Configure an ACL to discard mDNS packets received at the WAN interface, so that the device processes only link local mDNS packets. The configuration process is as follows:
traffic classifier mdns operator or //Create a flow class and access its view.
if-match acl 3000 //Create an ACL for classifying traffic and set an ACL ID.
acl number 3000 //Create an ACL group.
rule 1 deny udp destination-port eq 5353 //Configure an ACL rule to discard mDNS packets.
traffic behavior mdns //Create a traffic behavior and access its view.
deny //Block service traffic that matches the specific rule.
traffic policy mdns //Create a traffic policy.
classifier mdns behavior mdns //In the traffic policy, set a traffic behavior for the traffic class. That is, bind the traffic class with the traffic behavior.
interface GigabitEthernet0/0/23 //Access the WAN interface view.
port link-type access //Configure the link type of the interface.
port default vlan 123 //Configure a default VLAN and add the interface to the VLAN.
traffic-policy mdns inbound //Apply the policy to the WAN interface to discard mDNS packets.
Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades, or obtain them through Huawei worldwide website at (http://support.huawei.com/enterprise) / (http://support.huawei.com/carrier/) / (http://consumer.huawei.com/cn/support/index.htm). For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.
This vulnerability was reported by Chad Seaman. Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
For security problems with Huawei products and solutions, please contact PSIRT@huawei.com.
For general problems with Huawei products and solutions, please contact Huawei TAC directly to obtain configuration or technical assistance.
For general problems with Huawei products and solutions, please contact Huawei TAC directly to obtain configuration or technical assistance.
2015-09-09 V1.0 INITIAL
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by any means, is totally at your own risk. Huawei is entitled to amend or update this document from time to time.
Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's website at
http://www.huawei.com/cn/security/psirt.
http://www.huawei.com/cn/security/psirt.
