CVE-2024-52615: 
Avahi vulnerability analysis and mitigation

A security vulnerability (CVE-2024-52615) was identified in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. The vulnerability was disclosed on November 21, 2024, affecting various versions of the Avahi service across multiple Linux distributions. This flaw has been assigned a CVSS v3.1 base score of 5.3 (Medium severity) (Red Hat CVE).

The vulnerability stems from Avahi-daemon's use of fixed source ports when performing wide-area DNS queries, which makes it susceptible to DNS response injection attacks. The issue has been classified under CWE-330 (Use of Insufficiently Random Values). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability primarily affects systems actively using wide-area DNS functionality in Avahi. The impact is limited to potential DNS spoofing attacks, with local mDNS (.local) remaining unaffected. The CVSS scoring indicates potential integrity impacts while confidentiality and availability remain uncompromised (Ubuntu Security).

The vulnerability can be mitigated by disabling wide-area DNS queries in Avahi. This can be accomplished by setting enable-wide-area=no in /etc/avahi/avahi-daemon.conf. Additionally, queries can be forwarded to local DNS resolvers like systemd-resolved, which provide better randomization (Ubuntu Security, Debian Tracker).

Avahi upstream has responded to the vulnerability by disabling wide-area functionality by default in newer versions. A separate issue has been created to track improvements to the wide-area functionality (Ubuntu Security).