IP address spoofing involves creating Internet Protocol (IP) packets with a fake source IP address. This is typically done with the intention of deceiving the recipient into believing that the packet is coming from a legitimate source. When the recipient sends a response back to the source IP address, it is sent to the fake source IP address instead.

Zephyr OS network stack implementation does not drop IP packets arriving from an external interface with a source address equal to the localhost or the destination address, which is a violation of the recommended security practice.

When the localhost or the destination address is used as a fake source address, then the response ends up to the loopback interface bypassing host side IP-address based access control. Depending on the implementation and used protocol (UDP/TCP) the target device might handle all or some data from the response. Here is one example when this kind of behaviour is used to extend local vulnerability to adjacent network: https://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html

When responses are handled by loopback interfaces, the target becomes more vulnerable to DoS (Denial of Service) attacks. In Zephyr OS there was also a bug causing system instability (a crash) when the loopback interface was handling packets from the external interface. The crash is reproduced with IPv4 and IPv6 packets over TCP connection.

Affected Software

IPv4 packets with the spoofed localhost address are not dropped in any network. IPv6 packets with the spoofed localhost address are handled correctly. IPv4 and IPv6 packets with spoofed source address equal to the destination address are not dropped in any network. This behaviour is present on all non-patched releases of Zephyr OS supporting IPv6 or IPv4.

• Zephyr OS v.3.5
• Zephyr OS v.3.4
• Zephyr OS v.2.7 (LTS v2)
• And all other releases supporting IPv6 or IPv4.

Impact

• CVSS 3.1 base score: 8.6 (High)
• CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Remediation

The fix is included since the commit:

• Zephyr OS main: fa0e04e2edb82bf880b274d9532fcf2729f4d674
• Zephyr OS v.3.5: 62e3c7d871852a23cb5b2dbd7c74f7d5e150f7ea
• Zephyr OS v.3.4: 339194de6e79198e86b83fba5118039974112cfa
• Zephyr OS v.2.7 (LTS v2): 01ad11252ced4cf2e4828a5b5f263cf8d631b6c2
• Patches are not cherry-picked to other releases and those stay vulnerable.

Zephyr OS v.3.6 and newer versions have the fix inherited from the main repository.

Discovery Credit

Kari Hulkko from the CyRC discovered these vulnerabilities by using the Defensics® fuzz testing tool with IPv4 and IPv6 protocol test suites.

Synopsys would like to thank the maintainers of Zephyr OS for their responsiveness and great cooperation.

Timeline

• December 15, 2023: Initial disclosure.
• December 19, 2023: The vulnerability confirmed.
• December 21, 2023: Fix for IPv4 integrated to main branch.
• January 3, 2024: Fix for IPv6 integrated to main branch.
• January 18, 2024: Fixes included in release branches under security maintenance.
• March 15, 2024: Advisory published by Zephyr project.
• March 19, 2024: Advisory published by Synopsys.

About CVSS

FIRST.Org, Inc (FIRST) is a non-profit organisation based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilise or implement CVSS but FIRST does require any individual or organisation give appropriate attribution while using CVSS. FIRST also states that any individual or organisation that publishes scores follow the guideline so that anyone can understand how the score was calculated.