Security Experts:

Connect with us

Hi, what are you looking for?



Videolabs Patches Code Execution, DoS Vulnerabilities in libmicrodns Library

Vulnerabilities that Videolabs recently addressed in its libmicrodns library could lead to denial of service (DoS) and arbitrary code execution, Cisco Talos’ security researchers warn.

Vulnerabilities that Videolabs recently addressed in its libmicrodns library could lead to denial of service (DoS) and arbitrary code execution, Cisco Talos’ security researchers warn.

A company founded by VideoLAN members, Videolabs is the current editor of the VLC mobile applications and also an important contributor to the VLC media player. The libmicrodns mDNS resolver cross-platform library is used in the VLC media player for mDNS service discovery.

The most severe of the newly discovered vulnerabilities is an exploitable remote code execution bug in the label-parsing functionality of the library. It is tracked as CVE-2020-6072 and has a CVSS score of 9.8.

“When parsing compressed labels in mDNS messages, the `rr_decode` function’s return value is not checked, leading to a double free that could be exploited to execute arbitrary code. An attacker can send an mDNS message to trigger this vulnerability,” Talos explains.

All of the remaining issues have a CVSS score of 7.5, but they impact different components of the library. The first of them is a denial of service bug in the resource record-parsing functionality of libmicrodns.

The issue is tracked as CVE-2020-6071 and can be triggered during the parsing of compressed labels in mDNS messages. According to Talos, because the compression pointer is followed without checking for recursion, a denial of service condition can occur.

Another DoS flaw was found in the TXT record-parsing functionality of the library and is tracked as CVE-2020-6073. According to Talos, integer overflows can be triggered when parsing the RDATA section in a TXT record in mDNS messages, leading to DoS.

The message-parsing functionality of libmicrodns was impacted by an out-of-bounds flaw (CVE-2020-6077) that existed because the implementation did not properly keep track of the available data in the message when parsing mDNS messages, thus leading to DoS.

Another exploitable DoS vulnerability (CVE-2020-6078) exists when parsing mDNS messages in ‘mdns_recv’ because no check is performed on the return value of the ‘mdns_read_header’ function. This eventually leads to a service crash.

Two other DoS bugs were found in the resource allocation handling of libmicrodns. Tracked as CVE-2020-6079 and CVE-2020-6080, these issues are triggered because some allocated data is not freed when encountering errors while parsing mDNS messages, which could lead to resource exhaustion.

An attacker looking to exploit these vulnerabilities can send a specially crafted mDNS message or a series of mDNS messages. In their release notes, libmicrodns developers said the flaws “could trigger local DoS by forging invalid mDNS packets.”

Talos found these vulnerabilities in version 0.1.0 of the libmicrodns library and reported them to the vendor in January. A fix was made available on March 20 with the release of version 0.1.1.

Related: Vulnerabilities in Mini-SNMPD Lead to DoS, Information Disclosure

Related: Remote Code Execution Flaw Impacts E2fsprogs Filesystem Utility

Related: Multiple Vulnerabilities Found in AMD ATI Radeon Graphics Cards

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet