CVE-2018-4011
Description
An exploitable integer underflow vulnerability exists in the mdnscap binary of the CUJO Smart Firewall, version 7003. When parsing SRV records in an mDNS packet, the "RDLENGTH" value is handled incorrectly, leading to an out-of-bounds access that crashes the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer underflow in CUJO Smart Firewall's mdnscap when parsing SRV records allows an unauthenticated attacker to trigger a crash via a crafted mDNS packet.
Vulnerability
An exploitable integer underflow vulnerability exists in the mdnscap binary of the CUJO Smart Firewall, firmware version 7003. When parsing SRV records in an mDNS packet, the "RDLENGTH" value is handled incorrectly, leading to an out-of-bounds access that crashes the mdnscap process. The vulnerability is classified as CWE-191: Integer Underflow (Wrap or Wraparound) [1].
Exploitation
An unauthenticated attacker can send a crafted mDNS message to a target CUJO Smart Firewall device on the local network. No authentication or user interaction is required. The vulnerability is triggered when the mdnscap process parses the SRV record with a malformed RDLENGTH field, causing an integer underflow that results in an out-of-bounds memory access [1].
Impact
Successful exploitation results in a denial-of-service condition by crashing the mdnscap process. The vulnerability does not lead to code execution or information disclosure. The CVSSv3 score is 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) [1].
Mitigation
As of the publication date (2019-03-21), no patch or fixed version has been released by CUJO for this vulnerability. The affected firmware version is 7003. Users should monitor the vendor for updates and consider network segmentation to limit exposure of the device to untrusted mDNS traffic [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 7003
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Integer underflow in parse_rr when subtracting 6 from rdlength without validation, leading to an out-of-bounds read in collect_strings."
Attack vector
An unauthenticated attacker on the local network sends a crafted mDNS packet (UDP port 5353) containing an SRV resource record with an RDLENGTH value between 0 and 5. The `mdnscap` binary, which passively captures mDNS traffic via libpcap, parses the packet. The integer underflow at [23] causes `collect_strings` to read an overly large length from the RDATA field, resulting in an out-of-bounds memory access that crashes the `mdnscap` process [ref_id=1].
Affected code
The vulnerability resides in the `parse_rr` function within the `mdnscap` binary. When handling SRV records (type 33), the code at [23] subtracts 6 from `rdlength` without checking if `rdlength` is less than 6, leading to an integer underflow. The resulting large value is passed to `collect_strings` [20], which uses it to allocate a heap buffer via `calloc` [25] and then reads beyond the intended RDATA field via `strncat` [32].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the root cause as the unchecked subtraction of 6 from `rdlength` at [23] in `parse_rr`. A proper fix would validate that `rdlength` is greater than or equal to 6 before performing the subtraction, preventing the integer underflow and the subsequent out-of-bounds read in `collect_strings`.
Preconditions
- networkAttacker must be on the same local network as the CUJO Smart Firewall to send mDNS packets
- authNo authentication required — the mdnscap process captures all mDNS traffic on port 5353
- inputThe mDNS packet must have QR=1 (response) and TC=0 (not truncated) to reach the vulnerable code path
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0681mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.