CVE-2015-7988

Vulnerability

The vulnerability resides in the handle_regservice_request() function of mDNSResponder, the open-source software implementing Bonjour on Apple and third-party systems. Improper input validation triggers a NULL pointer dereference, allowing remote attackers to execute arbitrary code or cause a denial of service. Affected versions are mDNSResponder 379.27 and later prior to version 625.41.2. This issue is tracked as CVE-2015-7988 [1][2].

Exploitation

An attacker does not require authentication and can exploit this vulnerability remotely over the network. The exact vectors are unspecified in the references, but the CERT/CC note indicates that the vulnerability is related to memory corruption and can be triggered by sending crafted packets to the mDNSResponder service. No user interaction or special network position is needed beyond network reachability [2].

Impact

Successful exploitation leads to arbitrary code execution as the service user, potentially gaining full control over the affected system. Alternatively, the attacker could cause a denial of service by triggering a crash via the NULL pointer dereference. The impact includes complete compromise of confidentiality, integrity, and availability [1][2].

Mitigation

Apple released mDNSResponder version 625.41.2 to address this vulnerability, along with security updates for OS X El Capitan v10.11.1, Yosemite v10.10.5 (with Security Update 2015-004), Mavericks v10.9.5 (with Security Update 2015-007), iOS 9.1, watchOS 2.1, and AirPort Base Station Firmware 7.7.7/7.6.7. Apple also coordinated with vendors, so third-party products should be updated by their respective vendors. No workarounds are documented [1][2].