CVE-2018-4003
Description
An exploitable heap overflow vulnerability exists in the mdnscap binary of the CUJO Smart Firewall running firmware 7003. The string lengths are handled incorrectly when parsing character strings in mDNS resource records, leading to arbitrary code execution in the context of the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap overflow in CUJO Smart Firewall's mdnscap binary allows unauthenticated remote code execution via a crafted mDNS message.
Vulnerability
A heap overflow vulnerability exists in the mdnscap binary of the CUJO Smart Firewall running firmware version 7003 [1]. The bug occurs when the binary parses character strings in mDNS resource records; it handles string lengths incorrectly, leading to a heap-based buffer overflow [1]. The affected component is part of a set of custom network monitoring tools used by the device [1].
Exploitation
An unauthenticated attacker can trigger the vulnerability by sending a specially crafted mDNS message to the target device over the network [1]. No authentication or user interaction is required; the attacker only needs network access to the CUJO Smart Firewall [1]. The mdnscap process receives and parses the message, and the incorrect string-length handling corrupts heap memory.
Impact
Successful exploitation results in arbitrary code execution within the context of the mdnscap process [1]. The CVSSv3 score is 8.3, with a vector of AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L, indicating a compromise of confidentiality, integrity, and availability at low scope [1]. An attacker could potentially leverage this to escalate privileges or pivot to other services on the device.
Mitigation
No patch or updated firmware version has been released to address this vulnerability as of the publication date [1]. Users are advised to monitor vendor channels for a fix. No workarounds are documented in the available references [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: firmware 7003
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Incorrect handling of character-string lengths in the `collect_strings` function when parsing mDNS resource records leads to a heap-based buffer overflow."
Attack vector
An unauthenticated attacker on the same network sends a crafted mDNS response (QR=1) with TC=0 to UDP port 5353 [ref_id=1]. The `mdnscap` binary, which uses libpcap to capture mDNS packets, processes the message through `parse_mdns_records` and then `parse_rr`. When the RDATA contains a HINFO, TXT, or SRV record, `collect_strings` is invoked with a malformed character-string length, causing a heap-based buffer overflow [CWE-122]. This can lead to arbitrary code execution in the context of the `mdnscap` process.
Affected code
The vulnerability resides in the `collect_strings` function within the `mdnscap` binary. This function is called from `parse_rr` (via `dns_parse_qr`) when parsing mDNS resource records of types HINFO (13), TXT (16), and SRV (33). The `collect_strings` function allocates a heap buffer of size `rdlength + 1` via `calloc` [ref_id=1], but does not properly account for the actual lengths of the character strings being parsed, leading to a heap overflow.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies that `collect_strings` allocates a buffer of `rdlength + 1` bytes but does not correctly handle the lengths of individual character strings within the RDATA field. To remediate this vulnerability, the vendor would need to add proper bounds checking in `collect_strings` to ensure that each character string's declared length does not exceed the remaining RDATA space, and that the total copied data does not overflow the allocated heap buffer.
Preconditions
- networkAttacker must be on the same network as the CUJO Smart Firewall to send mDNS packets to UDP port 5353.
- configThe mdnscap process must be running (default behavior of the CUJO Smart Firewall firmware 7003).
- authNo authentication required; the attacker can be unauthenticated.
- inputThe crafted mDNS message must have QR=1 (response) and TC=0 (not truncated).
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0672mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.