search menu icon-carat-right cmu-wordmark

CERT Coordination Center


uIP and lwIP DNS resolver vulnerable to cache poisoning

Vulnerability Note VU#210620

Original Release Date: 2014-11-03 | Last Revised: 2017-02-13

Overview

The DNS resolver implemented in uIP and lwIP is vulnerable to cache poisoning due to non-randomized transaction IDs (TXIDs) and source port reuse.

Description

CWE-330: Use of Insufficiently Random Values - CVE-2014-4883

The DNS resolver implemented in all versions of uIP, as well as lwIP versions 1.4.1 and earlier, is vulnerable to cache poisoning due to non-randomized transaction IDs (TXIDs) and source port reuse.

For more information on the technical details and impact of this vulnerability, please refer to VU#800113.

Impact

A remote, unauthenticated attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control.

Solution

Apply an Update

lwIP has released version 2.0.0 to address this issue. Users and downstream developers are encouraged to upgrade to the latest release of lwIP.

uIP is now incorporated into the Contiki project. No patch has been made available by Contiki at this time.

Please refer to VU#800113 for additional remediation and mitigation suggestions.

Vendor Information

210620
Expand all

Contiki OS

Notified:  September 01, 2014 Updated:  October 27, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Philips Electronics

Notified:  September 09, 2014 Updated:  August 27, 2015

Statement Date:   August 26, 2015

Status

  Affected

Vendor Statement

The CERT/CC reached out to Philips Electronics after originally discovering the vulnerability in the Philips Hue product, which utilizes lwIP for its TCP/IP stack.

Philips provided the following response:

"This issue has been investigated. Application-layer authentication prevents exploitation affecting confidentiality or integrity of Hue communication, data, firmware updates, etc.

Hue Bridge software update 01018228 that fixes this issue is available since December 2014. Users can upgrade via the Hue app."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www2.meethue.com/en-us/ http://www.usa.philips.com/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

lwIP

Notified:  August 14, 2014 Updated:  October 21, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Thingsquare

Notified:  September 11, 2014 Updated:  October 27, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 5.0 E:U/RL:OF/RC:C
Environmental 5 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Allen D. Householder for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

CVE IDs: CVE-2014-4883
Date Public: 2014-11-03
Date First Published: 2014-11-03
Date Last Updated: 2017-02-13 18:21 UTC
Document Revision: 24

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.