Source: securityboulevard.com – Author: Kari Hulkko
Exploitation
IP address spoofing involves creating IP packets with a fake source IP address. This is typically done with the intention of deceiving the recipient into believing that the packet is coming from a legitimate source. When the recipient sends a response back to the source IP address, it is sent to the fake source IP address instead.
A Zephyr OS network stack implementation does not drop IP packets arriving from an external interface with a source address equal to the localhost or the destination address, which is a violation of the recommended security practice.
When the localhost or destination address is used as a fake source address, the response goes to the loopback interface, bypassing host-side IP address–based access control. Depending on the implementation and protocol (UDP/TCP), the target device might handle all or some of the data from the response. One example of this kind of behavior being used to extend local vulnerability to an adjacent network can be seen here.
When responses are handled by loopback interfaces, the target becomes more vulnerable to denial-of-service attacks. In Zephyr OS, there was also a bug causing system instability (a crash) when the loopback interface was handling packets from the external interface. The crash was reproduced with IPv4 and IPv6 packets over TCP connection.
Original Post URL: https://securityboulevard.com/2024/03/cyrc-vulnerability-advisory-cve-2023-7060-missing-security-control-in-zephyr-os-ip-packet-handling/
Category & Tags: Security Bloggers Network,”CyRC”,”Software Integrity”,fuzzing – Security Bloggers Network,”CyRC”,”Software Integrity”,fuzzing
