CERTVU:646008Buffalo AirStation Extreme N600 Router WZR-600DHP2 uses insufficiently random values for DNS queries
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
0.002 Low
EPSS
Percentile
57.1%
Overview
Buffalo AirStation Extreme N600 Router WZR-600DHP2, firmware versions 2.09, 2.13, 2.16, and possibly others, uses insufficiently random values for DNS queries and is vulnerable to DNS spoofing attacks.
Description
CWE-330: Use of Insufficiently Random Values- CVE-2015-8262
The Buffalo AirStation Extreme N600 Router WZR-600DHP2 uses static source ports and predictable TXIDs that increment from 0x0002 for all DNS queries originating from the local area network (LAN). An attacker with the ability to spoof DNS responses can cause WZR-600DHP2 LAN clients to contact incorrect or malicious hosts under the attacker’s control.
The following graph shows a distribution of 300 DNS queries captured on the WAN port of the WZR-600DHP2:
Impact
A remote, unauthenticated attacker may be able to spoof DNS responses to cause WZR-600DHP2 LAN clients to contact attacker-controlled hosts.
Solution
Apply an update
The vendor has released firmware version 2.17 to address this vulnerability. Users should review the readme and update affected devices to the latest release.
Vendor Information
646008
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Buffalo Inc Affected
Notified: July 01, 2015 Updated: December 10, 2015
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5 | AV:N/AC:L/Au:N/C:N/I:P/A:N |
| Temporal | 4.5 | E:POC/RL:U/RC:C |
| Environmental | 1.1 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
- <http://www.buffalotech.com/products/wireless/dual-band-routers/airstation-extreme-n600-router>
- <http://www.buffalotech.com/support-and-downloads/download/wzr600dhp2-us-217.zip>
- <http://www.buffalotech.com/support-and-downloads/download/wzr600dhp2-us-217.txt>
Acknowledgements
These vulnerabilities were reported by Joel Land of the CERT/CC.
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2015-8262 |
|---|---|
| Date Public: | 2015-12-10 Date First Published: |
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
0.002 Low
EPSS
Percentile
57.1%