CVE-2015-7987
📋 TL;DR
CVE-2015-7987 is a critical buffer overflow vulnerability in Apple's mDNSResponder service that allows remote attackers to read or write to out-of-bounds memory locations via specially crafted network packets. This affects Apple devices and systems using vulnerable versions of mDNSResponder, potentially allowing remote code execution or information disclosure.
💻 Affected Systems
- Apple macOS
- Apple iOS
- Apple tvOS
- Apple watchOS
- Bonjour for Windows
📦 What is this software?
Watchos by Apple
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with SYSTEM/root privileges leading to complete system compromise, data theft, and lateral movement within networks.
Likely Case
Denial of service, information disclosure, or limited code execution depending on exploit implementation and system configuration.
If Mitigated
Limited impact if proper network segmentation, firewalls, and least privilege principles are implemented, though risk remains significant.
🎯 Exploit Status
Exploitation requires sending specially crafted mDNS packets to UDP port 5353. Multiple attack vectors exist through different vulnerable functions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: mDNSResponder 625.41.2 or later
Vendor Advisory: https://support.apple.com/HT206846
Restart Required: Yes
Instructions:
1. Apply Apple security updates for your OS version. 2. For macOS, use Software Update. 3. For iOS/tvOS/watchOS, update through Settings. 4. For Windows, update Bonjour or remove if not needed.
🔧 Temporary Workarounds
Block mDNS Port
allBlock UDP port 5353 at network perimeter and between network segments
# Example iptables rule: iptables -A INPUT -p udp --dport 5353 -j DROP
# Example Windows Firewall: netsh advfirewall firewall add rule name="Block mDNS" dir=in action=block protocol=UDP localport=5353
Disable mDNSResponder Service
allDisable the mDNSResponder service if not required
# macOS: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
# Windows: sc config "Bonjour Service" start= disabled && sc stop "Bonjour Service"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems
- Deploy intrusion detection/prevention systems to monitor for mDNS exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check mDNSResponder version or system patch level. On macOS: sw_vers or system_profiler SPSoftwareDataType. On Windows: Check Bonjour version in Programs and Features.Check Version:
# macOS: defaults read /System/Library/CoreServices/mDNSResponder CFBundleShortVersionStringVerify Fix Applied:
Verify mDNSResponder version is 625.41.2 or later. Check that Apple security updates are installed.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from mDNSResponder
- Crash logs for mDNSResponder
- High volume of mDNS traffic on port 5353
Network Indicators:
- Malformed mDNS packets
- Unusual traffic patterns to UDP port 5353
- mDNS packets with abnormal field values
SIEM Query:
source="*mDNSResponder*" AND (event_type="crash" OR process_name="mDNSResponder" AND parent_process!="launchd")🔗 References
- http://www.kb.cert.org/vuls/id/143335
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.securityfocus.com/bid/91323
- http://www.securitytracker.com/id/1036181
- https://support.apple.com/HT206846
- http://www.kb.cert.org/vuls/id/143335
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.securityfocus.com/bid/91323
- http://www.securitytracker.com/id/1036181
- https://support.apple.com/HT206846
