Menu
Reply
  • 34
  • 0
  • 10
monkehfu
On our wavelength
978 Views
Message 1 of 8
Flag for a moderator

Multicast DNS Vulnerabilities

Had an interesting letter today from VM regarding a potential Multicast DNS vulnerability on my home network.

VMIS5-MDNS-F004922408

The port in question is 5353 tcp/udp

It's not open to the outside/public

After poking about for a bit on my network and doing some more poking about online, this is the default port for AppleTV. This makes sense as I have two in the house that are used heavily.

The problem is, VM want me to block those ports, which to be honest, isn't going to happen as they are used for Multicast purposes under MacOS/iOS/TvOS.

All Apple ports in use can be found here: https://support.apple.com/en-gb/HT202944

5353 UDP Multicast DNS (MDNS) 3927 mdns Bonjour, AirPlay, Home Sharing, Printer Discovery, Back to My Mac

Can I suggest that VM update their information?

0 Kudos
Reply
  • 7
  • 0
  • 0
MortyChris
Joining in
952 Views
Message 2 of 8
Flag for a moderator

Re: Multicast DNS Vulnerabilities

I would be interested to know more too. Received the letter today but it seems very vague. Happy to do what they suggest and block the port but how can I know that my hardware in the house will continue to function?

The Virgin website states they will consider 'other means' if ignored..... Really???

you have received a letter/email from Virgin Media about this vulnerability, it is important that the issue is resolved within 5 days of the receipt of this communication, otherwise we may have to consider further measures including suspending your Internet service.

 

http://help.virginmedia.com/system/selfservice.controller?CONFIGURATION=1001&PARTITION_ID=1&secureFl...

0 Kudos
Reply
  • 1
  • 0
  • 1
peonic
Joining in
924 Views
Message 3 of 8
Flag for a moderator

Re: Multicast DNS Vulnerabilities

I just ran Wireshark to get a packet trace from my network.

I can only see one box sending mDNS requests..........

 

The Virgin Media TiVo

 

:/

  • 7
  • 0
  • 0
thewhitefang750
Tuning in
921 Views
Message 4 of 8
Flag for a moderator

Re: Multicast DNS Vulnerabilities

Got the same mail through.  Most things like Steam, Battle.net, League, etc etc, use this MDNS.  Virgin has got their info wrong somewhere on this.

0 Kudos
Reply
  • 1.43K
  • 154
  • 457
Superuser
Superuser
878 Views
Message 5 of 8
Flag for a moderator

Re: Multicast DNS Vulnerabilities

Virgin Media are acting on log data provided by Shadowserver but unfortunately they seem incapable of including any of the log data in the notice sent to customers.

  • 34
  • 0
  • 10
monkehfu
On our wavelength
859 Views
Message 6 of 8
Flag for a moderator

Re: Multicast DNS Vulnerabilities

I've spent all night stressing about this.

This is the first time in 8 years of being a customer regarding anything like this, and in all honesty, the total vagueness of the letter wasn't;t exactly helpful.

I've queried it on twitter, but the guys at ShadowServer have just been rude and unhelpful.

My network is managed quite well and have never had issues. I can't stealth port 5353 as there's not way to configure it on the SH2ac.
I was more surprised to see that all of the port forwarding and router settings I spent days inputting have all disappeared, I assume this happens every time VM do something to the router, so what's the point in port blocking 5353 or any other port?

I have 21 devices on my network, this is a headache I'd rather not have.

From what I understand, I have a couple of options...

- VPN all of my traffic in and out
- Hardware VPN
- By a router which I can actually manage without the risk of VM screwing it up at will

I assume their threat of "further steps" would involve VM forcing my router into a higher firewall setting. Ironic how VM tell us to do this to protect from some threat and then use the same threat to modify your hardware without your knowledge. Irony?

The only thing that has changed recently are the Investigatory Powers Bill (IPBill), VM network changes for the V6 Box and I'm part of the VM Wifi test area. The latter I intend to opt-out of asap.

0 Kudos
Reply
  • 4
  • 0
  • 0
HappySpaceInvdr
Joining in
251 Views
Message 7 of 8
Flag for a moderator

Re: Multicast DNS Vulnerabilities

I got the same letter from Virgin on 29th September 2017, referring to a scan that took place on 9th September 2017.  I performed an external scan (from an AWS machine), and nothing came back.

I recently bought a Fingbox device for my network.  Now... the way this device manages to do what it does on your network may raise your eyebrows somewhat... but it did alert me to a computer on my network that was allowing 5353/UDP through the firewall over uPnP.

I suspect that the scan took place while some particular piece of software was running... detecting the cause now is going to involve an awful lot of testing and trial & error. 

0 Kudos
Reply
  • 4
  • 0
  • 0
HappySpaceInvdr
Joining in
248 Views
Message 8 of 8
Flag for a moderator

Re: Multicast DNS Vulnerabilities

Be aware that the website mentioned in the letter, virginmedia.com/mdns is full of inaccurate and misleading advice.

"The easiest way to deal with an Multicast DNS vulnerability is to configure your firewall to block port 5353."

There is no way to do this on Virgin Media routers!  Virgin Media routers do not have a configurable firewall.  The article merely instructs you on how to delete existing port forwarding rules - this is not the same thing as configuring a firewall to drop requests.

In many cases, there will be no such port forwarding rules anyway, as the port will have been opened up to a specific device via uPnP and will be invisible to the firewall.  The correct advice is to tell customers to disable uPnP... however, that will most likely result in a lot of popular network services suddenly becoming disabled.

"If you have a device configured in your firewall's DMZ that does not use its own firewall, it is crucial that you disable this option immediately."

No, no, no... there are plenty of consumer devices designed to be placed into a DMZ that are far more secure than a common computer.  Examples are an Xbox or PlayStation.  

"How do I know I’m now safe?

If you have followed the above advice you can be confident that you have resolved the issue."

Wrong!  This is the worst kind of computer advice imaginable.  Consider the fact that the article has totally missed the uPnP situation... you'd still be vulnerable!  

The only way to know you are safe is to perform the appropriate port scan from a computer external to your network.  I'd love to go into more detail here, but it would likely result in my post being deleted.

 

0 Kudos
Reply