Implementations of UDP-based application protocols are vulnerable to network loops

Overview

A novel traffic-loop vulnerability has been identified against certain implementations of UDP-based applications protocols. An unauthenticated attacker can use maliciously-crafted packets against a UDP-based vulnerable implementation of application protocols (e.g., DNS, NTP, TFTP) that can lead to Denial-of-Service (DOS) and/or abuse of resources.

Description

The User Datagram Protocol (UDP) is a simple, connectionless protocol that is still commonly used in many internet-based applications. UDP has a limited packet-verification capability and is susceptible to IP spoofing. Security researchers have identified that certain implementations of the UDP protocol in applications can be triggered to create a network-loop of seemingly never-ending packets. Software implementations of UDP-based application protocols DNS, NTP, TFTP, Echo (RFC862), Chargen (RFC864), and QOTD (RFC865) were specifically found to be vulnerable to such network loops.

As an example, if two application servers have a vulnerable implementation of said protocol, an attacker can initiate a communication with the first server, spoofing the network address of the second server (victim). In many cases, the first server will respond with an error message to the victim, which will also trigger a similar behavior of another error message back to the first server. This behavior has been demonstrated to be resource exhausting and can cause services to become either unresponsive or unstable.

Impact

Successful exploitation of this vulnerability could result in the following scenarios: 1. Overload of a vulnerable service, causing it to become unstable or unusable. 2. DOS attack of the network backbone, causing network outage to other services. 3. Amplification attacks that involve network loops causing amplified DOS or DDOS attacks.

Solution

Apply updates

CERT/CC recommends that you apply the latest patch provided by the affected vendor that addresses this vulnerability in the vendor-specific implementations. Review the vendor-specific information below. If the product is end-of-life/unsupported, vendors will be unlikely to release a patch; thus, we recommend replacing the device.

Protect or replace UDP applications

When possible, protect UDP-based applications using network firewall rules and/or other access-control lists to prevent unauthorized access. If the same service can be implemented using a TCP or with any request-validation capability (e.g., Message-Authenticator) available in the UDP-based application protocol, implement such protection to prevent unknown or spoofed requests. It is recommended that you disable unnecessary and unused UDP services that may be enabled as part of your operating system to prevent exposure of these services for abuse.

Deploy anti-spoofing

Network providers should deploy available anti-spoofing techniques (BCP38) such as Unicast Reverse Path Forwarding (uRPF) to prevent IP spoofing in protecting their internet-facing resources against spoofing and abuse.

Enforce network rate-limiting

Service providers should employ network rate-limiting capabilities, such Quality-of-Service (QoS) to protect their network from abuse from network loops and amplifications and to ensure their critical resources/services are protected.

Acknowledgements

Thanks to the reporters Yepeng Pan and Christian Rossow from the CISPA Helmholtz Center for Information Security, Germany. This document was written by Elke Drennan and Vijay Sarvepalli.

Vendor Information

417980

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Broadcom __ Affected

Notified: 2024-01-17 Updated: 2024-03-19

Statement Date: January 17, 2024

CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

Some older DSL/PON/Wifi routers has dproxy-nexgen as part of their SDK, optionally used by SDK customers. Customers of those SDKs have been provided with a patch.

All newer SDKs, beginning with releases in 2021, have had dproxy-nexgen removed.

Cisco __ Affected

Notified: 2024-01-17 Updated: 2024-03-19

Statement Date: March 12, 2024

CVE-2009-3563	Affected
Vendor Statement:
Cisco Published the following Security Advisory regarding the issue back in 2009. Advisory ID: Cisco-SA-20091208-CVE-2009-3563
References:

• <https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20091208-CVE-2009-3563&gt;
  CVE-2024-1309| Not Affected CVE-2024-2169| Not Affected

Vendor Statement

Cisco Reviewed the disclosed vulnerabilities via PSIRT-0133586819:

UDP-based legacy protocols (QOTD, Chargen, and Echo, Time, Daytime and Active Users) * These should be disabled by default on all Cisco products.

DNS Using POC provided: * Cisco Umbrella will drop these packets. * Cisco Prime Network Registrar will drop these packets. * The only products using dproxy-nexgen or dproxy are Cisco RV132W and RV134W; which are end of life.

TFTP * Currently no known products are affected.

NTP Cisco published https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20091208-CVE-2009-3563 regarding this vulnerability back in 2009.

Honeywell __ Affected

Notified: 2024-01-17 Updated: 2024-03-19

Statement Date: January 22, 2024

CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

We are affected in out of support products.

Microsoft __ Affected

Notified: 2024-01-17 Updated: 2024-03-19

Statement Date: February 16, 2024

CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

This issue has been assessed as a service impacting denial of service against WDS, but it does not result in a crash of the host system. A fix for this issue will be considered for a future version of Windows. Microsoft recommends following best security practices when deploying any service which includes restricting access at edge firewalls to any ports that do not require external access.

MikroTik __ Affected

Notified: 2024-01-17 Updated: 2024-03-19

Statement Date: January 17, 2024

CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

Our TFTP service is affected, we have resolved the issue in 7.14beta6 version. Stable versions after 7.13.2 will include a patch for this issue.

Zyxel __ Affected

Notified: 2024-01-17 Updated: 2024-03-26

Statement Date: March 22, 2024

CVE-2009-3563	Not Affected
CVE-2024-1309	Not Affected CVE-2024-2169
The following end-of-life (EOL) products, ZyWALL 2, ZyWALL 2 Plus, ZyWALL 2WG, ZyWALL 5, ZyWALL 35, and ZyWALL 70, are affected.

CERT Addendum

The following end-of-life products are affected: ZyWALL 2, ZyWALL 2 Plus, ZyWALL 2WG, ZyWALL 5, ZyWALL 35, and ZyWALL 70

We recommend replacing these devices, as the vendor has indicated that patches will not be provided for them.

Allegro Software Development Corporation Not Affected

Notified: 2024-01-17 Updated: 2024-03-19

Statement Date: January 17, 2024

CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

We have not received a statement from the vendor.

Red Hat __ Not Affected

Notified: 2024-03-25 Updated: 2024-04-03

Statement Date: April 02, 2024

CVE-2009-3563	Not Affected
Vendor Statement:
Red Hat’s versions of NTP as distributed with Red Hat Enterprise Linux are not vulnerable to this flaw. It was fixed back then when reported as described in the reference link.
References:

• <https://access.redhat.com/security/cve/CVE-2009-3563&gt;
  CVE-2024-1309| Not Affected Vendor Statement:
  Red Hat is not affected by this vulnerability, as such component is not distributed with any supported Red Hat product.
  CVE-2024-2169| Not Affected ** References: **

• <https://access.redhat.com/security/cve/cve-2024-2169&gt;

Technicolor Not Affected

Notified: 2024-01-17 Updated: 2024-03-19

Statement Date: March 14, 2024

CVE-2009-3563	Not Affected
CVE-2024-1309	Not Affected CVE-2024-2169

Vendor Statement

We have not received a statement from the vendor.

American Megatrends Incorporated (AMI) Unknown

Notified: 2024-03-27 Updated: 2024-04-03 CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

We have not received a statement from the vendor.

ARRIS Unknown

Notified: 2024-01-17 Updated: 2024-03-19 CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

We have not received a statement from the vendor.

Brother USA Unknown

Notified: 2024-01-17 Updated: 2024-03-19 CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

We have not received a statement from the vendor.

dproxy-nexgen Unknown

Notified: 2024-03-20 Updated: 2024-03-26 CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

We have not received a statement from the vendor.

Hughes Network Systems Inc. Unknown

Notified: 2024-01-17 Updated: 2024-03-19

Statement Date: January 23, 2024

CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

We have not received a statement from the vendor.

JPCERT/CC Vulnerability Handling Team Unknown

Notified: 2024-03-25 Updated: 2024-03-20 CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

We have not received a statement from the vendor.

NETGEAR Unknown

Notified: 2024-03-19 Updated: 2024-03-19 CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

We have not received a statement from the vendor.

PLANET Technology Unknown

Notified: 2024-01-17 Updated: 2024-03-19 CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

We have not received a statement from the vendor.

sourceforge Unknown

Updated: 2024-03-20 CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

We have not received a statement from the vendor.

TP-LINK Unknown

Notified: 2024-01-17 Updated: 2024-03-19 CVE-2009-3563	Unknown
CVE-2024-1309	Unknown CVE-2024-2169

Vendor Statement

We have not received a statement from the vendor.

View all 19 vendors __View less vendors __

References

• <https://docs.google.com/document/d/1KByZzrdwQhrXGPPCf9tUzERZyRzg0xOpGbWoDURZxTI/edit#heading=h.edovh0fxvs07&gt;
• <https://datatracker.ietf.org/doc/html/rfc768&gt;
• <https://datatracker.ietf.org/doc/html/rfc862/&gt;
• <https://datatracker.ietf.org/doc/html/rfc864/&gt;
• <https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks&gt;
• <https://manrs.org/netops/guide/antispoofing/&gt;
• <https://datatracker.ietf.org/doc/html/rfc7873&gt;
• <https://www.darkreading.com/cyberattacks-data-breaches/breaking-the-ddos-attack-loop-with-rate-limiting&gt;
• <https://www.dotmagazine.online/issues/digital-responsibility-and-sustainability/dns-cookies-transaction-mechanism&gt;
• <https://www.kb.cert.org/vuls/id/568372&gt;
• <https://nvd.nist.gov/vuln/detail/CVE-2009-3563&gt;
• <https://vuls.cert.org/confluence/display/historical/CERT+Advisory+CA-1996-01+UDP+Port+Denial-of-Service+Attack&gt;

Other Information

CVE IDs:	CVE-2009-3563 CVE-2024-1309 CVE-2024-2169
API URL:	VINCE JSON
Date Public:	2024-03-19 Date First Published: