Philips Electronics Information for VU#210620

uIP and lwIP DNS resolver vulnerable to cache poisoning

Status

Affected

Vendor Statement

The CERT/CC reached out to Philips Electronics after originally discovering the vulnerability in the Philips Hue product, which utilizes lwIP for its TCP/IP stack.

    Philips provided the following response:

    "This issue has been investigated. Application-layer authentication prevents exploitation affecting confidentiality or integrity of Hue communication, data, firmware updates, etc.

    Hue Bridge software update 01018228 that fixes this issue is available since December 2014. Users can upgrade via the Hue app."

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    http://www2.meethue.com/en-us/

http://www.usa.philips.com/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.