CVE-2018-4002
Description
An exploitable denial-of-service vulnerability exists in the mdnscap binary of the CUJO Smart Firewall running firmware 7003. When parsing labels in mDNS packets, the firewall unsafely handles label compression pointers, leading to an uncontrolled recursion that eventually exhausts the stack, crashing the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An uncontrolled recursion in mdnscap label parsing allows unauthenticated attackers to crash the CUJO Smart Firewall via a crafted mDNS packet.
Vulnerability
The mdnscap binary in CUJO Smart Firewall firmware 7003 contains an uncontrolled recursion vulnerability when parsing labels in mDNS packets. The software unsafely handles label compression pointers, leading to recursive function calls that exhaust the stack. This allows an unauthenticated attacker to crash the mdnscap process [1].
Exploitation
An unauthenticated attacker can send a specially crafted mDNS packet to the target device. No authentication or special network access is required; the packet is processed by the mdnscap tapper, triggering the uncontrolled recursion [1].
Impact
Successful exploitation causes a denial-of-service condition by crashing the mdnscap process. This disrupts network monitoring and device functionality, but does not affect other services or allow arbitrary code execution [1].
Mitigation
At the time of disclosure (October 31, 2019), no official fix was available. Users are advised to monitor for firmware updates from CUJO and consider restricting network access to the device as a temporary workaround [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CUJO/Smart Firewalldescription
- Range: = 7003
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Uncontrolled recursion in mDNS label parsing: the compression_label function recursively calls data_label without a depth limit, allowing a crafted mDNS packet to exhaust the stack."
Attack vector
An unauthenticated attacker sends a single mDNS UDP packet to port 5353 on the CUJO Smart Firewall. The mdnscap binary captures the packet via libpcap and passes it through Ethernet, IP, and UDP parsing before calling parse_mdns_records for each DNS section. Inside dns_parse_name, the compression_label function follows label compression pointers and recursively calls data_label [ref_id=1]. By crafting a chain of compression pointers that never resolves to a terminal label, the attacker triggers deep recursion that exhausts the call stack, crashing the mdnscap process [CWE-674] [ref_id=1].
Affected code
The vulnerability resides in the mdnscap binary's label-parsing functions. The compression_label function (at address 0x1F1C) extracts a 14-bit offset from a compression pointer and, if the pointed-to byte does not have the 0xC0 bits set, calls data_label recursively [ref_id=1]. The data_label function similarly processes label-length bytes and may call compression_label, creating mutual recursion with no depth limit [ref_id=1]. The call chain is: parse_mdns → parse_mdns_records → dns_parse_name → compression_label ↔ data_label [ref_id=1].
What the fix does
The advisory does not include a patch or describe a specific code fix [ref_id=1]. The recommended remediation is to implement a recursion-depth limit or an iterative loop in the compression_label and data_label functions so that label pointers cannot cause uncontrolled stack growth. Without such a bound, an attacker can trivially trigger a stack overflow by sending a crafted mDNS response with QR=1 and TC=0 [ref_id=1].
Preconditions
- networkAttacker must be able to send a UDP packet to port 5353 on the CUJO Smart Firewall.
- inputThe mDNS packet must have QR=1 (response) and TC=0 (not truncated) to pass the initial checks in parse_mdns.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0671mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.