Security News > 2020 > March > Videolabs Patches Code Execution, DoS Vulnerabilities in libmicrodns Library
Vulnerabilities that Videolabs recently addressed in its libmicrodns library could lead to denial of service and arbitrary code execution, Cisco Talos' security researchers warn.
The libmicrodns mDNS resolver cross-platform library is used in the VLC media player for mDNS service discovery.
According to Talos, integer overflows can be triggered when parsing the RDATA section in a TXT record in mDNS messages, leading to DoS. The message-parsing functionality of libmicrodns was impacted by an out-of-bounds flaw that existed because the implementation did not properly keep track of the available data in the message when parsing mDNS messages, thus leading to DoS. Another exploitable DoS vulnerability exists when parsing mDNS messages in 'mdns recv' because no check is performed on the return value of the 'mdns read header' function.
An attacker looking to exploit these vulnerabilities can send a specially crafted mDNS message or a series of mDNS messages.
In their release notes, libmicrodns developers said the flaws "Could trigger local DoS by forging invalid mDNS packets."