CVE Vulnerabilities

CVE-2014-4883

Insufficient Verification of Data Authenticity

Published: Nov 28, 2014 | Modified: Jan 08, 2015
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Weakness

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Affected Software

Name Vendor Start Version End Version
Lwip Lwip_project * 1.4.1
Lwipv6 Ubuntu artful *
Lwipv6 Ubuntu bionic *
Lwipv6 Ubuntu cosmic *
Lwipv6 Ubuntu devel *
Lwipv6 Ubuntu disco *
Lwipv6 Ubuntu eoan *
Lwipv6 Ubuntu focal *
Lwipv6 Ubuntu groovy *
Lwipv6 Ubuntu hirsute *
Lwipv6 Ubuntu impish *
Lwipv6 Ubuntu jammy *
Lwipv6 Ubuntu lucid *
Lwipv6 Ubuntu precise *
Lwipv6 Ubuntu trusty *
Lwipv6 Ubuntu utopic *
Lwipv6 Ubuntu vivid *
Lwipv6 Ubuntu wily *
Lwipv6 Ubuntu xenial *
Lwipv6 Ubuntu yakkety *
Lwipv6 Ubuntu zesty *

References