Vulnerabilities that Videolabs recently addressed in its libmicrodns library could lead to denial of service (DoS) and arbitrary code execution, Cisco Talos’ security researchers warn.
A company founded by VideoLAN members, Videolabs is the current editor of the VLC mobile applications and also an important contributor to the VLC media player. The libmicrodns mDNS resolver cross-platform library is used in the VLC media player for mDNS service discovery.
The most severe of the newly discovered vulnerabilities is an exploitable remote code execution bug in the label-parsing functionality of the library. It is tracked as CVE-2020-6072 and has a CVSS score of 9.8.
“When parsing compressed labels in mDNS messages, the `rr_decode` function’s return value is not checked, leading to a double free that could be exploited to execute arbitrary code. An attacker can send an mDNS message to trigger this vulnerability,” Talos explains.
All of the remaining issues have a CVSS score of 7.5, but they impact different components of the library. The first of them is a denial of service bug in the resource record-parsing functionality of libmicrodns.
The issue is tracked as CVE-2020-6071 and can be triggered during the parsing of compressed labels in mDNS messages. According to Talos, because the compression pointer is followed without checking for recursion, a denial of service condition can occur.
Another DoS flaw was found in the TXT record-parsing functionality of the library and is tracked as CVE-2020-6073. According to Talos, integer overflows can be triggered when parsing the RDATA section in a TXT record in mDNS messages, leading to DoS.
The message-parsing functionality of libmicrodns was impacted by an out-of-bounds flaw (CVE-2020-6077) that existed because the implementation did not properly keep track of the available data in the message when parsing mDNS messages, thus leading to DoS.
Another exploitable DoS vulnerability (CVE-2020-6078) exists when parsing mDNS messages in ‘mdns_recv’ because no check is performed on the return value of the ‘mdns_read_header’ function. This eventually leads to a service crash.
Two other DoS bugs were found in the resource allocation handling of libmicrodns. Tracked as CVE-2020-6079 and CVE-2020-6080, these issues are triggered because some allocated data is not freed when encountering errors while parsing mDNS messages, which could lead to resource exhaustion.
An attacker looking to exploit these vulnerabilities can send a specially crafted mDNS message or a series of mDNS messages. In their release notes, libmicrodns developers said the flaws “could trigger local DoS by forging invalid mDNS packets.”
Talos found these vulnerabilities in version 0.1.0 of the libmicrodns library and reported them to the vendor in January. A fix was made available on March 20 with the release of version 0.1.1.