CVE-2014-4883

Published: Nov 28, 2014Modified: May 6, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Affected (1)

Products: Lwip Project: Lwip

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lwip Project Lwip	Up to 1.4.1

Related CWEs

Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References (4)

http://git.savannah.gnu.org/cgit/lwip.git/commit/?id=9fb46e120655ac481b2af8f865d5ae56c39b831a

Source: cret@cert.org

Patch

http://www.kb.cert.org/vuls/id/210620

Source: cret@cert.org

US Government Resource

http://git.savannah.gnu.org/cgit/lwip.git/commit/?id=9fb46e120655ac481b2af8f865d5ae56c39b831a

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.kb.cert.org/vuls/id/210620

Source: af854a3a-2127-422b-91ae-364da2661108

US Government Resource

Timeline

No history available yet.