VU#417980: UDP-based, application-layer protocol implementations are vulnerable to network loops

CERT Security Advisory

Overview
A novel traffic-loop vulnerability has been identified against certain implementations of UDP-based applications protocols. An unauthenticated attacker can use maliciously-crafted packets against a UDP-based vulnerable implementation of application protocols (e.g., DNS, NTP, TFTP) that can lead to Denial-of-Service (DOS) and/or abuse of resources.
Description
The User Datagram Protocol (UDP) is a simple, connectionless protocol that is still commonly used in many internet-based applications. UDP has a limited packet-verification capability and is susceptible to IP spoofing. Security researchers have identified that certain implementations of the UDP protocol in applications can be triggered to create a network-loop of seemingly never-ending packets. Software implementations of UDP-based application protocols DNS, NTP, TFTP, Echo (RFC862), Chargen (RFC864), and QOTD (RFC865) were specifically found to be vulnerable to such network loops.
As an example, if two application servers have a vulnerable implementation of said protocol, an attacker can initiate a communication with the first server, spoofing the network address of the second server (victim). In many cases, the first server will respond with an error message to the victim, which will also trigger a similar behavior of another error message back to the first server. This behavior has been demonstrated to be resource exhausting and can cause services to become either unresponsive or unstable.
Impact
Successful exploitation of this vulnerability could result in the following scenarios:
1. Overload of a vulnerable service, causing it to become unstable or unusable.
2. DOS attack of the network backbone, causing network outage to other services.
3. Amplification attacks that involve network loops causing amplified DOS or DDOS attacks.
Solution
Apply updates
CERT/CC recommends that you apply the latest patch provided by the affected vendor that addresses this vulnerability in the vendor-specific implementations. Review the vendor-specific information below. If the product is end-of-life/unsupported, vendors will be unlikely to release a patch; thus, we recommend replacing the device.
Protect or replace UDP applications
When possible, protect UDP-based applications using network firewall rules and/or other access-control lists to prevent unauthorized access. If the same service can be implemented using a TCP or with any request-validation capability (e.g., Message-Authenticator) available in the UDP-based application protocol, implement such protection to prevent unknown or spoofed requests. It is recommended that you disable unnecessary and unused UDP services that may be enabled as part of your operating system to prevent exposure of these services for abuse.
Deploy anti-spoofing
Network providers should deploy available anti-spoofing techniques (BCP38) such as Unicast Reverse Path Forwarding (uRPF) to prevent IP spoofing in protecting their internet-facing resources against spoofing and abuse.
Enforce network rate-limiting
Service providers should employ network rate-limiting capabilities, such Quality-of-Service (QoS) to protect their network from abuse from network loops and amplifications and to ensure their critical resources/services are protected.
Acknowledgements
Thanks to the reporters Yepeng Pan and Christian Rossow from the CISPA Helmholtz Center for Information Security, Germany. This document was written by Elke Drennan and Vijay Sarvepalli.

Vendor Information

One or more vendors are listed for this advisory. Please reference the full report for more information.

References

https://docs.google.com/document/d/1KByZzrdwQhrXGPPCf9tUzERZyRzg0xOpGbWoDURZxTI/edit#heading=h.edovh0fxvs07

https://datatracker.ietf.org/doc/html/rfc768

https://datatracker.ietf.org/doc/html/rfc862/

https://datatracker.ietf.org/doc/html/rfc864/

https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks

https://manrs.org/netops/guide/antispoofing/

https://datatracker.ietf.org/doc/html/rfc7873

https://www.darkreading.com/cyberattacks-data-breaches/breaking-the-ddos-attack-loop-with-rate-limiting

https://www.dotmagazine.online/issues/digital-responsibility-and-sustainability/dns-cookies-transaction-mechanism

https://www.kb.cert.org/vuls/id/568372

https://nvd.nist.gov/vuln/detail/CVE-2009-3563

https://vuls.cert.org/confluence/display/historical/CERT+Advisory+CA-1996-01+UDP+Port+Denial-of-Service+Attack

Other Information

CVE IDs:

CVE-2024-2169

CVE-2024-1309

CVE-2009-3563

Date Public:

2024-03-19

Date First Published:
2024-03-19

Date Last Updated:
2024-03-19 19:49 UTC

Document Revision:
1

About vulnerability notes
Contact us about this vulnerability
Provide a vendor statement

READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *