Philips Electronics Information for VU#210620
uIP and lwIP DNS resolver vulnerable to cache poisoning
- Vendor Information Help Date Notified: 09 Sep 2014
- Statement Date: 26 Aug 2015
- Date Updated: 27 Aug 2015
The CERT/CC reached out to Philips Electronics after originally discovering the vulnerability in the Philips Hue product, which utilizes lwIP for its TCP/IP stack.
Philips provided the following response:
"This issue has been investigated. Application-layer authentication prevents exploitation affecting confidentiality or integrity of Hue communication, data, firmware updates, etc.
Hue Bridge software update 01018228 that fixes this issue is available since December 2014. Users can upgrade via the Hue app."
We are not aware of further vendor information regarding this vulnerability.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.