Comment # 1 on bug 1037001 from Mikhail Kasimov

[2]:
================================================================
Avahi IPv6 Off-link Unicast mDNS Interaction

Advisory Number: 201701

Assigned CVE: CVE-2017-6519

Affected software / systems: Avahi daemon. Avahi daemon used in various popular
Linux OS (and other open source Operating Systems). Vulnerability has been
confirmed in latest (as of Feb 22, 2017) Centos 6, Centos 7, Fedora 25, Ubuntu
15.04.

Attack type: Remote

Impact:
- DDoS amplification attacks and other remote DoS attacks.
- Information disclosure

Description: Avahi through 0.6.32 inadvertently responds to IPv6 unicast
queries with source addresses that are not on-link, which allows remote
attackers to cause a denial of service (traffic amplification) or obtain
potentially sensitive information via port-5353 UDP packets.
According to IETF RFC 6762 section 5.5, "Since it is possible for a unicast
query to be received from a machine outside the local link, responders SHOULD
check that the source address in the query packet matches the local subnet for
that link (or, in the case of IPv6, the source address has an on-link prefix)
and silently ignore the packet if not."

Reference: A. Atlasis, ���An Attack-in-Depth Analysis of multicast DNS and DNS
Service Discovery, Hack In the Box, Amsterdam, 14th April 2017.

Similar Vulnerabilities:
- CERT-VN:VU#550620
- CVE-2015-2809
- CVE-2017-6520

Mitigation: Block at the perimeter UDP port 5353 both for incoming and outgoing
connections.

Note: RedHat developers do not consider it a bug (see
https://bugzilla.redhat.com/show_bug.cgi?id=1426712).
================================================================