{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/417980#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nA novel traffic-loop vulnerability has been identified against certain implementations of UDP-based applications protocols.  An unauthenticated attacker can use maliciously-crafted packets against a UDP-based vulnerable implementation of application protocols (e.g., DNS, NTP, TFTP) that can lead to Denial-of-Service (DOS) and/or abuse of resources.\r\n\r\n### Description\r\n\r\nThe User Datagram Protocol ([UDP](https://datatracker.ietf.org/doc/html/rfc768)) is a simple, connectionless protocol that is still commonly used in many internet-based applications. UDP has a limited packet-verification capability and is susceptible to IP spoofing.  Security researchers have identified that certain implementations of the UDP protocol in applications can be triggered to create a network-loop of seemingly never-ending packets. Software implementations of UDP-based application protocols DNS, NTP, TFTP, Echo (RFC862), Chargen (RFC864), and QOTD (RFC865) were specifically found to be vulnerable to such network loops. \r\n\r\nAs an example, if two application servers have a vulnerable implementation of said protocol, an attacker can initiate a communication with the first server, spoofing the network address of the second server (victim). In many cases, the first server will respond with an error message to the victim, which will also trigger a similar behavior of another error message back to the first server. This behavior has been demonstrated to be resource exhausting and can cause services to become either unresponsive or unstable.  \r\n\r\n### Impact\r\n\r\nSuccessful exploitation of this vulnerability could result in the following scenarios: \r\n1. Overload of a vulnerable service, causing it to become unstable or unusable.\r\n2. DOS attack of the network backbone, causing network outage to other services.\r\n3. Amplification attacks that involve network loops causing amplified DOS or DDOS attacks.\r\n\r\n### Solution\r\n\r\n#### Apply updates\r\n\r\nCERT/CC recommends that you apply the latest patch provided by the affected vendor that addresses this vulnerability in the vendor-specific implementations. Review the vendor-specific information below. If the product is end-of-life/unsupported, vendors will be unlikely to release a patch; thus, we recommend replacing the device.\r\n\r\n#### Protect or replace UDP applications\r\n\r\nWhen possible, protect UDP-based applications using network firewall rules and/or other access-control lists to prevent unauthorized access. If the same service can be implemented using a TCP or with any request-validation capability (e.g., [Message-Authenticator](https://freeradius.org/rfc/rfc2869.html#Message-Authenticator)) available in the UDP-based application protocol, implement such protection to prevent unknown or spoofed requests. It is recommended that you disable unnecessary and unused UDP services that may be enabled as part of your operating system to prevent exposure of these services for abuse.\r\n\r\n#### Deploy anti-spoofing \r\n\r\nNetwork providers should deploy available anti-spoofing techniques ([BCP38](https://www.rfc-editor.org/info/bcp38)) such as Unicast Reverse Path Forwarding ([uRPF](https://datatracker.ietf.org/doc/html/rfc3704)) to prevent IP spoofing in protecting their internet-facing resources against spoofing and abuse.  \r\n\r\n#### Enforce network rate-limiting\r\n\r\nService providers should employ network rate-limiting capabilities, such Quality-of-Service (QoS) to protect their network from abuse from network loops and amplifications and to ensure their critical resources/services are protected.\r\n\r\n\r\n### Acknowledgements\r\n\r\nThanks to the reporters Yepeng Pan and Christian Rossow from the CISPA Helmholtz Center for Information Security, Germany. This document was written by Elke Drennan and Vijay Sarvepalli.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Some older DSL/PON/Wifi routers has dproxy-nexgen as part of their SDK, optionally used by SDK customers.  Customers of those SDKs have been provided with a patch. \r\n\r\nAll newer SDKs, beginning with releases in 2021, have had dproxy-nexgen removed.","title":"Vendor statment from Broadcom"},{"category":"other","text":"This issue has been assessed as a service impacting denial of service against WDS, but it does not result in a crash of the host system. A fix for this issue will be considered for a future version of Windows. Microsoft recommends following best security practices when deploying any service which includes restricting access at edge firewalls to any ports that do not require external access.","title":"Vendor statment from Microsoft"},{"category":"other","text":"Cisco Reviewed the disclosed vulnerabilities via PSIRT-0133586819:\r\n\r\nUDP-based legacy protocols (QOTD, Chargen, and Echo, Time, Daytime and Active Users)\r\n* These should be disabled by default on all Cisco products.\r\n\r\nDNS\r\nUsing POC provided:\r\n* Cisco Umbrella will drop these packets.\r\n* Cisco Prime Network Registrar will drop these packets.\r\n* The only products using dproxy-nexgen or dproxy are Cisco RV132W and RV134W; which are [end of life](https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-744065.html).\r\n\r\nTFTP\r\n* Currently no known products are affected.\r\n\r\nNTP\r\nCisco published https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20091208-CVE-2009-3563 regarding this vulnerability back in 2009.","title":"Vendor statment from Cisco"},{"category":"other","text":"The following end-of-life products are affected:\r\nZyWALL 2, ZyWALL 2 Plus, ZyWALL 2WG, ZyWALL 5, ZyWALL 35, and ZyWALL 70\r\n\r\nWe recommend replacing these devices, as the vendor has indicated that patches will not be provided for them.","title":"CERT/CC comment on Zyxel notes"},{"category":"other","text":"Our TFTP service is affected, we have resolved the issue in 7.14beta6 version. Stable versions after 7.13.2 will include a patch for this issue.","title":"Vendor statment from MikroTik"},{"category":"other","text":"We are affected in out of support products.","title":"Vendor statment from Honeywell"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/417980"},{"url":"https://docs.google.com/document/d/1KByZzrdwQhrXGPPCf9tUzERZyRzg0xOpGbWoDURZxTI/edit#heading=h.edovh0fxvs07","summary":"https://docs.google.com/document/d/1KByZzrdwQhrXGPPCf9tUzERZyRzg0xOpGbWoDURZxTI/edit#heading=h.edovh0fxvs07"},{"url":"https://datatracker.ietf.org/doc/html/rfc768","summary":"https://datatracker.ietf.org/doc/html/rfc768"},{"url":"https://datatracker.ietf.org/doc/html/rfc862/","summary":"https://datatracker.ietf.org/doc/html/rfc862/"},{"url":"https://datatracker.ietf.org/doc/html/rfc864/","summary":"https://datatracker.ietf.org/doc/html/rfc864/"},{"url":"https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks","summary":"https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks"},{"url":"https://manrs.org/netops/guide/antispoofing/","summary":"https://manrs.org/netops/guide/antispoofing/"},{"url":"https://datatracker.ietf.org/doc/html/rfc7873","summary":"https://datatracker.ietf.org/doc/html/rfc7873"},{"url":"https://www.darkreading.com/cyberattacks-data-breaches/breaking-the-ddos-attack-loop-with-rate-limiting","summary":"https://www.darkreading.com/cyberattacks-data-breaches/breaking-the-ddos-attack-loop-with-rate-limiting"},{"url":"https://www.dotmagazine.online/issues/digital-responsibility-and-sustainability/dns-cookies-transaction-mechanism","summary":"https://www.dotmagazine.online/issues/digital-responsibility-and-sustainability/dns-cookies-transaction-mechanism"},{"url":"https://www.kb.cert.org/vuls/id/568372","summary":"https://www.kb.cert.org/vuls/id/568372"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-3563","summary":"https://nvd.nist.gov/vuln/detail/CVE-2009-3563"},{"url":"https://vuls.cert.org/confluence/display/historical/CERT+Advisory+CA-1996-01+UDP+Port+Denial-of-Service+Attack","summary":"https://vuls.cert.org/confluence/display/historical/CERT+Advisory+CA-1996-01+UDP+Port+Denial-of-Service+Attack"}],"title":"Implementations of UDP-based application protocols are vulnerable to network loops","tracking":{"current_release_date":"2024-10-03T15:04:29+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#417980","initial_release_date":"2024-03-19 19:49:43.994589+00:00","revision_history":[{"date":"2024-10-03T15:04:29+00:00","number":"1.20241003150429.6","summary":"Released on 2024-10-03T15:04:29+00:00"}],"status":"final","version":"1.20241003150429.6"}},"vulnerabilities":[{"title":"ntp_request.","notes":[{"category":"summary","text":"ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons."}],"cve":"CVE-2009-3563","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#417980"}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2009-3563","summary":"Cisco Published the following Security Advisory regarding the issue back in 2009. Advisory ID: Cisco-SA-20091208-CVE-2009-3563","category":"external"},{"url":"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20091208-CVE-2009-3563","summary":"Cisco Published the following Security Advisory regarding the issue back in 2009. Advisory ID: Cisco-SA-20091208-CVE-2009-3563","category":"external"}],"product_status":{"known_affected":["CSAFPID-dd4f912a-3846-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-dd4ed456-3846-11f1-8422-122e2785dc9f","CSAFPID-dd4f18bc-3846-11f1-8422-122e2785dc9f","CSAFPID-dd4f6498-3846-11f1-8422-122e2785dc9f"]}},{"title":"Uncontrolled Resource Consumption vulnerability in Honeywell Niagara Framework on Windows, Linux, QNX allows Content Spoofing.","notes":[{"category":"summary","text":"Uncontrolled Resource Consumption vulnerability in Honeywell Niagara Framework on Windows, Linux, QNX allows Content Spoofing. This issue affects Niagara Framework: before Niagara AX 3.8.1, before Niagara 4.1."}],"cve":"CVE-2024-1309","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#417980"}],"product_status":{"known_not_affected":["CSAFPID-dd50074a-3846-11f1-8422-122e2785dc9f","CSAFPID-dd50502e-3846-11f1-8422-122e2785dc9f","CSAFPID-dd509192-3846-11f1-8422-122e2785dc9f","CSAFPID-dd50e6a6-3846-11f1-8422-122e2785dc9f"]}},{"title":"Implementations of UDP-based application protocols are vulnerable to network loops.","notes":[{"category":"summary","text":"Implementations of UDP-based application protocols are vulnerable to network loops.  An unauthenticated attacker can use maliciously-crafted packets against a vulnerable implementation that can lead to Denial of Service (DOS) and/or abuse of resources."}],"cve":"CVE-2024-2169","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#417980"}],"references":[{"url":"https://access.redhat.com/security/cve/cve-2024-2169","summary":"https://access.redhat.com/security/cve/cve-2024-2169","category":"external"}],"product_status":{"known_affected":["CSAFPID-dd519e2a-3846-11f1-8422-122e2785dc9f","CSAFPID-dd51dad4-3846-11f1-8422-122e2785dc9f","CSAFPID-dd52758e-3846-11f1-8422-122e2785dc9f","CSAFPID-dd52c5ca-3846-11f1-8422-122e2785dc9f","CSAFPID-dd531b38-3846-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-dd515d34-3846-11f1-8422-122e2785dc9f","CSAFPID-dd5212e2-3846-11f1-8422-122e2785dc9f","CSAFPID-dd523da8-3846-11f1-8422-122e2785dc9f","CSAFPID-dd534c34-3846-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-dd4ed456-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Zyxel","product":{"name":"Zyxel Products","product_id":"CSAFPID-dd4f18bc-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Vantiva","product":{"name":"Vantiva Products","product_id":"CSAFPID-dd4f6498-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cisco","product":{"name":"Cisco Products","product_id":"CSAFPID-dd4f912a-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-dd50074a-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Zyxel","product":{"name":"Zyxel Products","product_id":"CSAFPID-dd50502e-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Vantiva","product":{"name":"Vantiva Products","product_id":"CSAFPID-dd509192-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cisco","product":{"name":"Cisco Products","product_id":"CSAFPID-dd50e6a6-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-dd515d34-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Zyxel","product":{"name":"Zyxel Products","product_id":"CSAFPID-dd519e2a-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-dd51dad4-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Vantiva","product":{"name":"Vantiva Products","product_id":"CSAFPID-dd5212e2-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Allegro Software Development Corporation","product":{"name":"Allegro Software Development Corporation Products","product_id":"CSAFPID-dd523da8-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"MikroTik","product":{"name":"MikroTik Products","product_id":"CSAFPID-dd52758e-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Hughes Network Systems Inc.","product":{"name":"Hughes Network Systems Inc. Products","product_id":"CSAFPID-dd529e92-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Broadcom","product":{"name":"Broadcom Products","product_id":"CSAFPID-dd52c5ca-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Honeywell","product":{"name":"Honeywell Products","product_id":"CSAFPID-dd531b38-3846-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cisco","product":{"name":"Cisco Products","product_id":"CSAFPID-dd534c34-3846-11f1-8422-122e2785dc9f"}}]}}