6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
7.8 High
AI Score
Confidence
High
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.963 High
EPSS
Percentile
99.5%
A novel traffic-loop vulnerability has been identified against certain implementations of UDP-based applications protocols. An unauthenticated attacker can use maliciously-crafted packets against a UDP-based vulnerable implementation of application protocols (e.g., DNS, NTP, TFTP) that can lead to Denial-of-Service (DOS) and/or abuse of resources.
The User Datagram Protocol (UDP) is a simple, connectionless protocol that is still commonly used in many internet-based applications. UDP has a limited packet-verification capability and is susceptible to IP spoofing. Security researchers have identified that certain implementations of the UDP protocol in applications can be triggered to create a network-loop of seemingly never-ending packets. Software implementations of UDP-based application protocols DNS, NTP, TFTP, Echo (RFC862), Chargen (RFC864), and QOTD (RFC865) were specifically found to be vulnerable to such network loops.
As an example, if two application servers have a vulnerable implementation of said protocol, an attacker can initiate a communication with the first server, spoofing the network address of the second server (victim). In many cases, the first server will respond with an error message to the victim, which will also trigger a similar behavior of another error message back to the first server. This behavior has been demonstrated to be resource exhausting and can cause services to become either unresponsive or unstable.
Successful exploitation of this vulnerability could result in the following scenarios: 1. Overload of a vulnerable service, causing it to become unstable or unusable. 2. DOS attack of the network backbone, causing network outage to other services. 3. Amplification attacks that involve network loops causing amplified DOS or DDOS attacks.
CERT/CC recommends that you apply the latest patch provided by the affected vendor that addresses this vulnerability in the vendor-specific implementations. Review the vendor-specific information below. If the product is end-of-life/unsupported, vendors will be unlikely to release a patch; thus, we recommend replacing the device.
When possible, protect UDP-based applications using network firewall rules and/or other access-control lists to prevent unauthorized access. If the same service can be implemented using a TCP or with any request-validation capability (e.g., Message-Authenticator) available in the UDP-based application protocol, implement such protection to prevent unknown or spoofed requests. It is recommended that you disable unnecessary and unused UDP services that may be enabled as part of your operating system to prevent exposure of these services for abuse.
Network providers should deploy available anti-spoofing techniques (BCP38) such as Unicast Reverse Path Forwarding (uRPF) to prevent IP spoofing in protecting their internet-facing resources against spoofing and abuse.
Service providers should employ network rate-limiting capabilities, such Quality-of-Service (QoS) to protect their network from abuse from network loops and amplifications and to ensure their critical resources/services are protected.
Thanks to the reporters Yepeng Pan and Christian Rossow from the CISPA Helmholtz Center for Information Security, Germany. This document was written by Elke Drennan and Vijay Sarvepalli.
417980
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2024-01-17 Updated: 2024-03-19
Statement Date: January 17, 2024
CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
Some older DSL/PON/Wifi routers has dproxy-nexgen as part of their SDK, optionally used by SDK customers. Customers of those SDKs have been provided with a patch.
All newer SDKs, beginning with releases in 2021, have had dproxy-nexgen removed.
Notified: 2024-01-17 Updated: 2024-03-19
Statement Date: March 12, 2024
CVE-2009-3563 | Affected |
---|---|
Vendor Statement: | |
Cisco Published the following Security Advisory regarding the issue back in 2009. Advisory ID: Cisco-SA-20091208-CVE-2009-3563 | |
References: |
Cisco Reviewed the disclosed vulnerabilities via PSIRT-0133586819:
UDP-based legacy protocols (QOTD, Chargen, and Echo, Time, Daytime and Active Users) * These should be disabled by default on all Cisco products.
DNS Using POC provided: * Cisco Umbrella will drop these packets. * Cisco Prime Network Registrar will drop these packets. * The only products using dproxy-nexgen or dproxy are Cisco RV132W and RV134W; which are end of life.
TFTP * Currently no known products are affected.
NTP Cisco published https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20091208-CVE-2009-3563 regarding this vulnerability back in 2009.
Notified: 2024-01-17 Updated: 2024-03-19
Statement Date: January 22, 2024
CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
We are affected in out of support products.
Notified: 2024-01-17 Updated: 2024-03-19
Statement Date: February 16, 2024
CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
This issue has been assessed as a service impacting denial of service against WDS, but it does not result in a crash of the host system. A fix for this issue will be considered for a future version of Windows. Microsoft recommends following best security practices when deploying any service which includes restricting access at edge firewalls to any ports that do not require external access.
Notified: 2024-01-17 Updated: 2024-03-19
Statement Date: January 17, 2024
CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
Our TFTP service is affected, we have resolved the issue in 7.14beta6 version. Stable versions after 7.13.2 will include a patch for this issue.
Notified: 2024-01-17 Updated: 2024-03-26
Statement Date: March 22, 2024
CVE-2009-3563 | Not Affected |
---|---|
CVE-2024-1309 | Not Affected CVE-2024-2169 |
The following end-of-life (EOL) products, ZyWALL 2, ZyWALL 2 Plus, ZyWALL 2WG, ZyWALL 5, ZyWALL 35, and ZyWALL 70, are affected. |
The following end-of-life products are affected: ZyWALL 2, ZyWALL 2 Plus, ZyWALL 2WG, ZyWALL 5, ZyWALL 35, and ZyWALL 70
We recommend replacing these devices, as the vendor has indicated that patches will not be provided for them.
Notified: 2024-01-17 Updated: 2024-03-19
Statement Date: January 17, 2024
CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
We have not received a statement from the vendor.
Notified: 2024-03-25 Updated: 2024-04-03
Statement Date: April 02, 2024
CVE-2009-3563 | Not Affected |
---|---|
Vendor Statement: | |
Red Hatβs versions of NTP as distributed with Red Hat Enterprise Linux are not vulnerable to this flaw. It was fixed back then when reported as described in the reference link. | |
References: |
<https://access.redhat.com/security/cve/CVE-2009-3563>
CVE-2024-1309| Not Affected Vendor Statement:
Red Hat is not affected by this vulnerability, as such component is not distributed with any supported Red Hat product.
CVE-2024-2169| Not Affected ** References: **
Notified: 2024-01-17 Updated: 2024-03-19
Statement Date: March 14, 2024
CVE-2009-3563 | Not Affected |
---|---|
CVE-2024-1309 | Not Affected CVE-2024-2169 |
We have not received a statement from the vendor.
Notified: 2024-03-27 Updated: 2024-04-03 CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
We have not received a statement from the vendor.
Notified: 2024-01-17 Updated: 2024-03-19 CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
We have not received a statement from the vendor.
Notified: 2024-01-17 Updated: 2024-03-19 CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
We have not received a statement from the vendor.
Notified: 2024-03-20 Updated: 2024-03-26 CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
We have not received a statement from the vendor.
Notified: 2024-01-17 Updated: 2024-03-19
Statement Date: January 23, 2024
CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
We have not received a statement from the vendor.
Notified: 2024-03-25 Updated: 2024-03-20 CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
We have not received a statement from the vendor.
Notified: 2024-03-19 Updated: 2024-03-19 CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
We have not received a statement from the vendor.
Notified: 2024-01-17 Updated: 2024-03-19 CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
We have not received a statement from the vendor.
Updated: 2024-03-20 CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
We have not received a statement from the vendor.
Notified: 2024-01-17 Updated: 2024-03-19 CVE-2009-3563 | Unknown |
---|---|
CVE-2024-1309 | Unknown CVE-2024-2169 |
We have not received a statement from the vendor.
View all 19 vendors __View less vendors __
CVE IDs: | CVE-2009-3563 CVE-2024-1309 CVE-2024-2169 |
---|---|
API URL: | VINCE JSON |
Date Public: | 2024-03-19 Date First Published: |
datatracker.ietf.org/doc/html/rfc768
datatracker.ietf.org/doc/html/rfc7873
datatracker.ietf.org/doc/html/rfc862/
datatracker.ietf.org/doc/html/rfc864/
docs.google.com/document/d/1KByZzrdwQhrXGPPCf9tUzERZyRzg0xOpGbWoDURZxTI/edit#heading=h.edovh0fxvs07
manrs.org/netops/guide/antispoofing/
nvd.nist.gov/vuln/detail/CVE-2009-3563
vuls.cert.org/confluence/display/historical/CERT+Advisory+CA-1996-01+UDP+Port+Denial-of-Service+Attack
www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks
www.darkreading.com/cyberattacks-data-breaches/breaking-the-ddos-attack-loop-with-rate-limiting
www.dotmagazine.online/issues/digital-responsibility-and-sustainability/dns-cookies-transaction-mechanism
www.kb.cert.org/vuls/id/568372
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
7.8 High
AI Score
Confidence
High
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.963 High
EPSS
Percentile
99.5%