Pierluigi Paganini November 04, 2014

The DNS resolver implemented in the open source TCP/IP stacks uIP and lwIP is vulnerable to cache poisoning, the flaw could be exploited to divert traffic to malicious websites.

The security researcher Allen D. Householder has reported  a serious vulnerability related to the uIP and lwIP DNS resolver, according to the Vulnerability Note VU#210620 it is exposed to cache poisoning attacks.

The uIP and was an open source TCP/IP stack designed to be used with tiny 8- and 16-bit microcontrollers, it could be implemented for IoT and embedded devices, due to the small amounts of resources it consumes.

The lwIP, also known as lightweight IP, is another widely used open source TCP/IP stack designed for embedded systems.

The vulnerability note states that the DNS resolver implemented in uIP and lwIP is vulnerable to cache poisoning due to non-randomized transaction IDs (TXIDs) and source port reuse.

“The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that fewer attempts will be needed. Furthermore, there are known errors with the randomness of transaction IDs that are generated by a number of implementations. Amit Klein researched several affected implementations in 2007.” states  the Vulnerability Note VU#800113.

The vulnerability, coded as CVE-2014-4883, affects DNS resolver implemented in all versions of uIP and lwIP versions 1.4.1 and earlier.

An attacker could remotely exploit the vulnerability to run a cache poisoning attack, an hacking technique that cause name server to return an incorrect IP address, and allow bad actors to diverting traffic to malicious websites they control.

“A remote, unauthenticated attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver’s clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker’s control.” states the note.

The vulnerability note also provides a solution to fix the problem applying the necessary update:

• lwIP has committed a fix to the lwIP source repository. If possible, users and downstream developers should upgrade to lwIP git commit b8d798158bce0068260302371afb2b4ab4d3678a or greater.
• uIP is now incorporated into the Contiki project. No patch has been made available by Contiki at this time.

In the following table is reported the list of vendors impacted by the security flaw.

Pierluigi Paganini

Security Affairs –  (lwIP, IoT)