Bug 1169008 (CVE-2014-4883)

Summary: CVE-2014-4883 xen: embedded lwIP's DNS resolver does not randomize ID fields or source ports of DNS query packets
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jforbes, kraxel, m.a.young, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:36:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1169009    
Bug Blocks:    

Description Vincent Danen 2014-11-28 20:40:50 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-4883 to
the following vulnerability:

Name: CVE-2014-4883
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4883
Assigned: 20140710
Reference: http://git.savannah.gnu.org/cgit/lwip.git/commit/?h=DEVEL-1_4_1&id=9fb46e120655ac481b2af8f865d5ae56c39b831a
Reference: CERT-VN:VU#210620
Reference: http://www.kb.cert.org/vuls/id/210620

resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in
lwIP 1.4.1 and earlier, does not use random values for ID fields and
source ports of DNS query packets, which makes it easier for
man-in-the-middle attackers to conduct cache-poisoning attacks via
spoofed reply packets.


NOTE: Xen as shipped with Fedora contains an embedded copy of lwip.  It's not known for certain whether the affected functionality affects Xen, however.
Comment 1 Vincent Danen 2014-11-28 20:44:35 UTC 
Looking at xen-4.3.3/stubdom/lwip/src/core/dns.c the code is quite a bit different (note this is lwip-1.3.0) and it doesn't seem to even make an attempt at randomization in any way so the patch noted above may not be sufficient.

I am going to file a Fedora tracking bug for this; the Xen developer will know best whether or not this is something that concerns Xen at all.
Comment 2 Vincent Danen 2014-11-28 20:44:53 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1169009]
Comment 3 Product Security DevOps Team 2019-06-08 02:36:40 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.