CVE-2014-4883 — Insufficient Verification of Data Authenticity in Project Lwip

CWE-345 — Insufficient Verification of Data Authenticity6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 70.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lwip Project Lwip Debian XEN

Timeline

PublishedNov 28

Latest updateMay 17

Description

resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDlwip_project/lwip1.4.1

▶debiandebian/xen

Patches

Patch: git.savannah.gnu.org ↗Patch: git.savannah.gnu.org ↗

🔴Vulnerability Details

GHSA

GHSA-r2m4-j583-8hw8: resolv↗2022-05-17

▶

OSV

CVE-2014-4883: resolv↗2014-11-28

▶

📋Vendor Advisories

Debian

CVE-2014-4883: xen - resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1...↗2014

▶

💬Community

Bugzilla

CVE-2014-4883 xen: embedded lwIP's DNS resolver does not randomize ID fields or source ports of DNS query packets↗2014-11-28

▶

Bugzilla

CVE-2014-4883 xen: embedded lwIP's DNS resolver does not randomize ID fields or source ports of DNS query packets [fedora-all]↗2014-11-28

▶