CVE-2025-59529
📋 TL;DR
Avahi's simple protocol server ignores the documented client connection limit, allowing unprivileged local users to establish unlimited connections. This can exhaust daemon memory and file descriptors, causing a denial of service for mDNS/DNS-SD services system-wide. Systems running Avahi versions up to 0.9-rc2 with the simple protocol server enabled are affected.
💻 Affected Systems
- Avahi
📦 What is this software?
Avahi by Avahi
Avahi by Avahi
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of mDNS/DNS-SD services system-wide, preventing resolution of *.local names and link-local addresses, with increased system load from logging errors.
Likely Case
Local DoS affecting mDNS/DNS-SD services, disrupting service discovery and local name resolution for applications using nss-mdns plugins.
If Mitigated
Minimal impact if access controls restrict socket access or if DBus-based resolution is used exclusively.
🎯 Exploit Status
Exploitation requires local access but no authentication. Simple scripts can repeatedly connect to the Unix socket to trigger the DoS. Public proof-of-concept details are available in the references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not yet released
Vendor Advisory: https://github.com/avahi/avahi/security/advisories/GHSA-73wf-3xmj-x82q
Restart Required: Yes
Instructions:
1. Monitor the Avahi GitHub repository for an official patch release. 2. Apply the patch when available. 3. Restart the avahi-daemon service. 4. Consider applying the candidate fix from pull request 808 if building from source.
🔧 Temporary Workarounds
Restrict Unix socket permissions
linuxChange permissions of the Unix socket after avahi-daemon starts to limit access to trusted users only.
chmod 600 /run/avahi-daemon/socket
Implement SELinux/AppArmor policies
linuxUse mandatory access controls to restrict which processes can access the Avahi Unix socket.
🧯 If You Can't Patch
- Monitor system logs for excessive connection attempts to the Avahi socket and investigate suspicious local user activity.
- Consider disabling Avahi entirely if mDNS/DNS-SD functionality is not required (e.g., on servers).
🔍 How to Verify
Check if Vulnerable:
Check Avahi version: avahi-daemon --version. If version is 0.9-rc2 or earlier, the system is vulnerable. Also verify the Unix socket exists: ls -la /run/avahi-daemon/socket.Check Version:
avahi-daemon --version 2>/dev/null || dpkg -l | grep avahi || rpm -qa | grep avahiVerify Fix Applied:
After applying a fix, test by attempting to connect to the socket multiple times (e.g., using netcat or a script) and verify connections are limited or rejected appropriately. Monitor avahi-daemon logs for error messages.📡 Detection & Monitoring
Log Indicators:
- Repeated 'Failed to accept client' or similar error messages in avahi-daemon logs (e.g., /var/log/syslog, journalctl -u avahi-daemon).
- Increased system load or file descriptor exhaustion alerts.
Network Indicators:
- Unusual number of connections to the Unix socket /run/avahi-daemon/socket (monitor via lsof or netstat).
SIEM Query:
source="avahi-daemon" AND ("Failed to accept client" OR "connection limit")