CVE-2014-4883

resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Weakness

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Affected Software

Name	Vendor	Start Version	End Version
Lwip	Lwip_project	*	1.4.1 (including)
Lwipv6	Ubuntu	artful	*
Lwipv6	Ubuntu	bionic	*
Lwipv6	Ubuntu	cosmic	*
Lwipv6	Ubuntu	devel	*
Lwipv6	Ubuntu	disco	*
Lwipv6	Ubuntu	eoan	*
Lwipv6	Ubuntu	esm-apps/bionic	*
Lwipv6	Ubuntu	esm-apps/focal	*
Lwipv6	Ubuntu	esm-apps/jammy	*
Lwipv6	Ubuntu	esm-apps/noble	*
Lwipv6	Ubuntu	esm-apps/xenial	*
Lwipv6	Ubuntu	focal	*
Lwipv6	Ubuntu	groovy	*
Lwipv6	Ubuntu	hirsute	*
Lwipv6	Ubuntu	impish	*
Lwipv6	Ubuntu	jammy	*
Lwipv6	Ubuntu	kinetic	*
Lwipv6	Ubuntu	lucid	*
Lwipv6	Ubuntu	lunar	*
Lwipv6	Ubuntu	mantic	*
Lwipv6	Ubuntu	noble	*
Lwipv6	Ubuntu	oracular	*
Lwipv6	Ubuntu	plucky	*
Lwipv6	Ubuntu	precise	*
Lwipv6	Ubuntu	questing	*
Lwipv6	Ubuntu	trusty	*
Lwipv6	Ubuntu	utopic	*
Lwipv6	Ubuntu	vivid	*
Lwipv6	Ubuntu	wily	*
Lwipv6	Ubuntu	xenial	*
Lwipv6	Ubuntu	yakkety	*
Lwipv6	Ubuntu	zesty	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-4883
CWE	https://cwe.mitre.org/data/definitions/345.html

Insufficient Verification of Data Authenticity

Weakness

Affected Software

References

CVE-2014-4883

Insufficient Verification of Data Authenticity

Weakness

Affected Software

Related Attack Patterns

References