IP address spoofingย involves creating Internet Protocol (IP) packets with a fake source IP address. This is typically done with the intention of deceiving the recipient into believing that the packet is coming from a legitimate source. When the recipient sends a response back to the source IP address, it is sent to the fake source IP address instead.
Zephyr OS network stack implementation does not drop IP packets arriving from an external interface with a source address equal to the localhost or the destination address, which is a violation of the recommended security practice.
When the localhost or the destination address is used as a fake source address, then the response ends up to the loopback interface bypassing host side IP-address based access control. Depending on the implementation and used protocol (UDP/TCP) the target device might handle all or some data from the response. Here is one example when this kind of behaviour is used to extend local vulnerability to adjacent network:ย https://googleprojectzero.
When responses are handled by loopback interfaces, the target becomes more vulnerable to DoS (Denial of Service) attacks. In Zephyr OS there was also a bug causing system instability (a crash) when the loopback interface was handling packets from the external interface. The crash is reproduced with IPv4 and IPv6 packets over TCP connection.
Affected Software
IPv4 packets with the spoofed localhost address are not dropped in any network. IPv6 packets with the spoofed localhost address are handled correctly. IPv4 and IPv6 packets with spoofed source address equal to the destination address are not dropped in any network. This behaviour is present on all non-patched releases of Zephyr OS supporting IPv6 or IPv4.
- Zephyr OS v.3.5
- Zephyr OS v.3.4
- Zephyr OS v.2.7ย (LTS v2)
- And all other releases supporting IPv6 or IPv4.
Impact
- CVSS 3.1 base score: 8.6 (High)
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/
S:U/C:L/I:L/A:H
Remediation
The fix is included since the commit:
- Zephyr OS main: fa0e04e2edb82bf880b274d9532fcf
2729f4d674 - Zephyr OS v.3.5: 62e3c7d871852a23cb5b2dbd7c74f7
d5e150f7ea - Zephyr OS v.3.4: 339194de6e79198e86b83fba511803
9974112cfa - Zephyr OS v.2.7ย (LTS v2): 01ad11252ced4cf2e4828a5b5f263c
f8d631b6c2 - Patches are not cherry-picked to other releases and those stay vulnerable.
Zephyr OS v.3.6 and newer versions have the fix inherited from the main repository.
Discovery Credit
Kari Hulkko from the CyRC discovered these vulnerabilities by using theย Defensicsยฎ fuzz testing toolย with IPv4 and IPv6 protocol test suites.
Synopsys would like to thank the maintainers of Zephyr OS for their responsiveness and great cooperation.
Timeline
- December 15, 2023: Initial disclosure.
- December 19, 2023: The vulnerability confirmed.
- December 21, 2023: Fix for IPv4 integrated to main branch.
- January 3, 2024: Fix for IPv6 integrated to main branch.
- January 18, 2024: Fixes included in release branches under security maintenance.
- March 15, 2024: Advisory published by Zephyr project.
- March 19, 2024: Advisory published by Synopsys.
About CVSS
FIRST.Org, Inc (FIRST) is a non-profit organisation based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilise or implement CVSS but FIRST does require any individual or organisation give appropriate attribution while using CVSS. FIRST also states that any individual or organisation that publishes scores follow the guideline so that anyone can understand how the score was calculated.