Just received a letter this morning telling me that a device on my network has a potential Mdns vulnerability, the only devices connected to the superhub 1 is a linux pc, ps4 and xbox 360
The ps4 and xbox 360 is connected wirelessly, with the ps4 on DMZ to fix nat and performance issues in games, the xbox 360 is using default settings, also the router firewall is off due to having a negative effect on game and download speeds.
The linux pc is connected via ethernet and has no multicast or wireless capabilities and has no firewall active or secondary windows OS partition.
No other devices have ever been connected to the superhub.
- It's probably the PS4 - It's very possible it's TiVo / VM Network - Other devices include Macs, iPhones, Sonos speakers, AppleTV and services like Bonjour or DNLA - It's specific to 5353 UDP not TCP, ShieldsUP only scans TCP so no point using them. - ShadowServer have been totally useless as it's only log data with no specifics - You can block it using the "Medium" firewall settings, which is a poor solution - Even if using firewall, you can let Multicast by pass it using the helpful little checkbox underneath the firewall settings. - VM haven't got a clue about this issue with solutions ranging from "I dunno" to "Have you tried switching it off and on again"
I think that's everything thats been covered so far on this forum
I have now had my second letter RE and been told if i recieve a 3rd then my internet will be cut off!
Its disgusting as none of the monkeys are VM can offer any advice on how to fix this and the only solution is to turn your firewall to Medium, in doing this, it stops my playstation network and amazon video working.
You can't configure the firewall any further than VM's set Low, Medium or High and putting the PS4 in the DMZ still doesn't work.
Its really bad that they say 'Do it or else' and then don't offer any support. I've turned on every device in my house and then sat with a wireshark scan running for 1hour with a 5353 filter turned on and not one entry turned up in the list. So as far as im concerned theres nothing on my network using 5353.
The letter even says 'A Device on your network may have a vulnerability', so they are threatening to cut me off when they are not even sure it is an issue.
I have received my second letter today. Really not sure how to proceed with this. I have my VirginHub in modem only mode, and let my vastly superior Asus Router handle my networking and firewall. I've been into that and checked all the settings and everything seems as it should be. I wish the letter from Virgin would be a bit more detailed, like perhaps telling me the address of the actual device that may have the vulnerability as it'd help me to do some more informed testing. Sadly when you have a bunch of smart tvs, game consoles, laptops, computers, media streamers, tablets and mobile phones all connected to the same network, it doesn't give me much of a starting point.
It's the stupidest situation I've every come across. I'm an IT engineer and I can't find any mDNS traffic on my network of smart devices, I've also run a dig@mypublicip command from outside my network and it tells me its found one server even though it's doesn't respond and everything in the LAN except the superhub is off! For them to threaten 3 strikes and your out and not offer any idea of the Mac address of the affected device(s) is outrageous. Personally I think they have had this report from the shadowserver organization and have just sent a blanket letter to everyone who was flagged. Let's not forget UDP 5353 is a zero config service used by most network devices including Apple devices, which let's face it which household now doesn't have at least an iPad or iphone? I think this might even be one for the telecom ombudsmen.
ritchiescholten wrote: It's the stupidest situation I've every come across. I'm an IT engineer and I can't find any mDNS traffic on my network of smart devices, I've also run a dig@mypublicip command from outside my network and it tells me its found one server even though it's doesn't respond and everything in the LAN except the superhub is off! For them to threaten 3 strikes and your out and not offer any idea of the Mac address of the affected device(s) is outrageous. Personally I think they have had this report from the shadowserver organization and have just sent a blanket letter to everyone who was flagged. Let's not forget UDP 5353 is a zero config service used by most network devices including Apple devices, which let's face it which household now doesn't have at least an iPad or iphone? I think this might even be one for the telecom ombudsmen.
You don't even have to have an Apple device, just an installation of iTunes with Bonjour running.
The majority of VM customers expect a secure service, and at source from their ISP.
That should include hardware which is correctly configured at the outset to provide adequate protection. For VM to provide hardware such as their Superhubs, for which there is no alternative for their cable connection is ludicrous!. What's even worse is that VM are now blaming their customers for using insecure equipment and threatening them with disconnections.
We are now only just into 2017 and it's time to inform all ISP's that the security and integrity of their networks is, first and foremost their responsibility! They provide the hardware and they are responsible for securing it.
In this era of the IoT (Internet of Things), where there are so many devices which can be connected and are inherently insecure, it's down to the ISP's in the first instance to ensure that their provided equipment is up to the task.
Blaming the customer for faults in an ISP provided piece of hardware is not the way to resolve these issues.
The problem is, just saying we have an mDNS vulnerability doesn't really help.
I too have received one of these letters today. So I did some digging and ended up installing Python and an mDNS checker.
And at first I thought I might have found the culprit
Indeed disabling airserver (which lets me mirror my IPad to my PC did remove the response.
However there was a catch. I was doing the test from a machine on the LAN using my public IP to do the checking. Now WAN loopbacks in the router can do funny things. So the next step was to tether my Laptop which I'd used to get the positive result to my mobile so I was testing from outside my local network, and re-enable AirServer on the offending PC
This time I didn't get a reply. In fact using Wireshark on the PC with AirServer on showed that the request didn't even reach it.
So I for one am at a loss here. Certainly knowing exactly what was in the mDNS response would be helpful - to that end I've sent ShadowServer an email to see if they can provide me with this information.
Edit - BTW - with regards to the OP - Linux does actually include mDNS support in the form of avahi.
Only use Helpful answer if your problems been solved.
I contacted Shadowserver and asked them the following.
I am a Virgin Media Customer who is currently on IP address 94.173.xxx.xxx
I have received a letter from Virgin Media stating an mdns vulnerability has been found on my network. And linking to your website for more information.
After checking I did think I’d located the responsible device – however it turns out I may be incorrect and that the result I got may have been confused by my routers loopback mechanism and I could not replicate the result when trying the same test from outside my network.
However rather than simply discount this as a false positive. I wanted to ask if you could supply more information to help me narrow down the issue. Namely are you able to provide the response string that came back from the mdns query?
This is the response I got.
Thanks for reaching out - I see the last entry we have of mDNS being exposed from your IP in our systems so far is 2016-12-27 10:58:17 UTC.
The raw event is as follows:
"2016-12-27 10:58:17","94.173.xxx.xxx","udp",5353,"cpc35-sutt4-2-0-custx.xx-x.cable.virginm.net","mdns",5089,"UK","BIRMINGHAM","SUTTON COLDFIELD",0,0,,,,"_airserver._tcp.local.; _raop._tcp.local.; _airplay._tcp.local.; ",,,,,,,,,,,
so the response string would be '_airserver._tcp.local.; _raop._tcp.local.; _airplay._tcp.local.; '
Note: I've edited the IP address and reverse DNS lookup for my IP.
Now if you read my earlier post you'll see that this was the result I got too. Meaning I know what the software is that's causing the vulnerability on my system. I've also contacted the makers of Airserver to raise this result with them, and I will let you know what they say as well.
So - while people may well pour scorn on these letters, based on what I can see on my system, and my contact with Shadowserver, I would have to say that people would be foolish to simply ignore these letters.
Shadowserver's email address is published on their website.