Vulnerability Details : CVE-2014-4883
resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.
Products affected by CVE-2014-4883
- cpe:2.3:a:lwip_project:lwip:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-4883
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 37 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-4883
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2014-4883
-
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-4883
-
http://www.kb.cert.org/vuls/id/210620
VU#210620 - uIP and lwIP DNS resolver vulnerable to cache poisoningUS Government Resource
-
http://git.savannah.gnu.org/cgit/lwip.git/commit/?id=9fb46e120655ac481b2af8f865d5ae56c39b831a
lwip.git - lwIP - A Lightweight TCPIP stackPatch
Jump to