The CERT (Computer Emergency Response Team) Coordination Center has published an alert about a series of vulnerabilities in implementations of various application protocols that use UDP as a transport. The vulnerabilities can be used to cause denial of service due to the possibility of looping packets between two hosts. For example, attackers can exhaust available network bandwidth, block network services (for example, by creating high load and exceeding request rate limits), and implement traffic amplifiers for DDoS attacks.
Protocols whose implementations are vulnerable include DNS, NTP, TFTP, Echo (RFC862), Chargen (RFC864) and QOTD (RFC865). The presence of the vulnerability (CVE-2024-2169) has been confirmed in certain products from Cisco, Microsoft, Broadcom, Brother, Honeywell (CVE-2024-1309) and MikroTik. As workarounds to block vulnerabilities, it is recommended to enable spoofing blocking (uRPF) on the firewall, limit access to unnecessary UDP services, and configure traffic intensity limitation (rate-limit and QoS).
The vulnerabilities stem from the UDP protocol's vulnerability to address spoofing. Without anti-spoofing protection on transit routers, an attacker can specify the IP address of an arbitrary server in a UDP packet and send the packet to another server, which will then return a response to the spoofed address. The attack method involves creating a packet loop between servers using vulnerable protocol implementations. For example, the target server might respond to an incoming packet with an error code, and the server whose address the attacker substituted will return its own response, which, in turn, will again result in a packet being returned with an error code. Thus, servers They will start playing ping-pong with each other with bags ad infinitum.
It is noteworthy that this method of attack is not new and server One attack variant of ntpd time synchronization was fixed back in 2009 (CVE-2009-3563) in versions 4.2.4p8 and 4.2.5. The attack consisted of sending an NTP packet with a spoofed address and the MODE_PRIVATE flag set. When processed, the target server responded that private mode was impossible, leaving the MODE_PRIVATE flag set in its response. Consequently, the other server also couldn't process this flag and returned its own response, resulting in a packet loop between the two NTP servers. For the DNS protocol, a warning about the possibility of such an attack was published as early as 1996.
A global scan of Internet addresses has revealed that there are currently at least 23 vulnerable TFTP servers, 63 DNS servers, 89 NTP servers, 56 Echo/RFC862 services, 22 Chargen/RFC864 services, and 21 QOTD/RFC865 services on the network. It is assumed that in the case of NTP servers, the unpatched vulnerability is associated with the use of very old versions of ntpd, released before 2010. The Echo, Chargen, and QOTD services are vulnerable from the start due to their architecture. The situation with TFTP and DNS servers requires an investigation with their administrators. The atftpd and tftpd servers are not affected by the problem, since they use a random source network port number when sending a response. dproxy-nexgen is mentioned as a vulnerable DNS server. In Microsoft products, the problem manifests itself in WDS (Windows Deployment Services), and in Cisco products, the issue is present in the 2800 and 2970 series routers.
Source: opennet.ru
