[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #42987] lwIP is vulnerable to DNS cache poisoning due
From: |
Todd Lewellen |
Subject: |
[lwip-devel] [bug #42987] lwIP is vulnerable to DNS cache poisoning due to non-randomized TXIDs |
Date: |
Thu, 14 Aug 2014 14:54:07 +0000 |
User-agent: |
Mozilla/5.0 (X11; U; CrOS i686 0.13.507; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 |
URL:
<http://savannah.nongnu.org/bugs/?42987>
Summary: lwIP is vulnerable to DNS cache poisoning due to
non-randomized TXIDs
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: tblewellen
Submitted on: Thu 14 Aug 2014 02:54:05 PM GMT
Category: DNS
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: None
Privacy: Private
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release:
lwIP version: git head
_______________________________________________________
Details:
Subject: [VU#210620] lwIP vulnerability
Greetings,
While reviewing our vulnerability reports we were notified of a vulnerability
in lwIP. We are tracking this issue as VU#210620. Our policy is to publish a
public vulnerability note within 45 days depending on the circumstances. An
example of our documents can be found here:
<http://www.kb.cert.org/vuls>
Allen Householder (address@hidden) discovered this issue.
A copy of the original report is included at the bottom of this message.
Please be sure to include VU#210620 in the subject when emailing us
(address@hidden) about this issue.
If you have any questions or concerns, please let us know.
Best Regards,
Vulnerability Analysis Team
======================================================================
CERT Coordination Center
www.cert.org / address@hidden / Hotline: 1-412-268-7090
======================================================================
----- BEGIN ORIGINAL VULNERABILITY REPORT -----
*Name: Allen D. Householder
*Organization: CERT
*Email Address: address@hidden
*Telephone Number: 412-927-4653
*Vulnerability Description:
The DNS resolver implemented by lwIP is vulnerable to cache poisoning due to
non-randomized query ids (aka Transaction ID or TXID) and source port reuse.
See related vul note http://www.kb.cert.org/vuls/id/800113
*Affected System Configurations:
lwIP (as of git commit e7f32240917cc912eb6e3e36780ecb3c4a06f264)
http://savannah.nongnu.org/projects/lwip/
source code: git://git.savannah.nongnu.org/lwip.git
lwIP is included in the Philips Hue bridge device sold as part of the Philips
Hue Personal Lighting system.
http://www.meethue.com
*How was this vulnerability found?:
Originally found by sniffing DNS traffic out of a Philips Hue bridge. Saw that
DNS TXIDs were monotonically increasing from 0x0000, 0x0001, 0x0002, etc. The
code below appears to explain that behavior.
Check out git://git.savannah.nongnu.org/lwip.git
In src/core/dns.c:
/**
* Call dns_check_entry for each entry in dns_table - check all entries.
*/
static void
dns_check_entries(void)
{
u8_t i;
for (i = 0; i < DNS_TABLE_SIZE; ++i) {
dns_check_entry(i);
}
}
...
dns_check_entry(u8_t i)
{
...
/* send DNS packet for this entry */
err = dns_send(pEntry->numdns, pEntry->name, i);
...
dns_send(u8_t numdns, const char* name, u8_t id)
{
...
struct dns_hdr *hdr;
...
hdr = (struct dns_hdr*)p->payload;
...
hdr->id = htons(id);
*Vulnerability Impact:
>From VU#800113: An attacker with the ability to conduct a successful cache
poisoning attack can cause a nameserver's clients to contact the incorrect,
and possibly malicious, hosts for particular services. Consequently, web
traffic, email, and other important network data can be redirected to systems
under the attacker's control.
In the case of the Hue system, an attacker could potentially man-in-the-middle
traffic between the Hue bridge device and Philips portal services (including
possibly messing with firmware updates).
*Comments:
I searched https://savannah.nongnu.org/search/?type_of_search=bugs&words=dns
and did not see any related tickets
----- END ORIGINAL VULNERABILITY REPORT -----
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?42987>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #42987] lwIP is vulnerable to DNS cache poisoning due to non-randomized TXIDs,
Todd Lewellen <=