CyRC Vulnerability Advisory: CVE-2023-7060 Missing Security Control in Zephyr OS IP Packet Handling

Exploitation

IP address spoofing involves creating IP packets with a fake source IP address. This is typically done with the intention of deceiving the recipient into believing that the packet is coming from a legitimate source. When the recipient sends a response back to the source IP address, it is sent to the fake source IP address instead.

A Zephyr OS network stack implementation does not drop IP packets arriving from an external interface with a source address equal to the localhost or the destination address, which is a violation of the recommended security practice.

When the localhost or destination address is used as a fake source address, the response goes to the loopback interface, bypassing host-side IP address–based access control. Depending on the implementation and protocol (UDP/TCP), the target device might handle all or some of the data from the response. One example of this kind of behavior being used to extend local vulnerability to an adjacent network can be seen here.

When responses are handled by loopback interfaces, the target becomes more vulnerable to denial-of-service attacks. In Zephyr OS, there was also a bug causing system instability (a crash) when the loopback interface was handling packets from the external interface. The crash was reproduced with IPv4 and IPv6 packets over TCP connection.

Affected software

IPv4 packets with the spoofed localhost address are not dropped in any network. IPv6 packets with the spoofed localhost address are handled correctly. IPv4 and IPv6 packets with a spoofed source address equal to the destination address are not dropped in any network. This behavior is present on all unpatched releases of Zephyr OS supporting IPv6 or IPv4.

• Zephyr OS v.3.5
• Zephyr OS v.3.4
• Zephyr OS v.2.7 (LTS v2)
• And all other releases supporting IPv6 or IPv4

Impact

CVSS 3.1 base score: 8.6 (High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Remediation

The fix is included as of the commit

•  Zephyr OS main: fa0e04e2edb82bf880b274d9532fcf2729f4d674
•  Zephyr OS v.3.5: 62e3c7d871852a23cb5b2dbd7c74f7d5e150f7ea
•  Zephyr OS v.3.4: 339194de6e79198e86b83fba5118039974112cfa
•  Zephyr OS v.2.7 (LTS v2): 01ad11252ced4cf2e4828a5b5f263cf8d631b6c2
•  Patches are not cherry-picked to other releases, which remain vulnerable

Zephyr OS v.3.6 and newer versions inherit the fix from the main repository.

Discovery credit

Kari Hulkko from the CyRC discovered these vulnerabilities by using the Defensics® fuzz testing tool with IPv4 and IPv6 protocol test suites.

Black Duck would like to thank the maintainers of Zephyr OS for their responsiveness and cooperation.

Timeline

• December 15, 2023: Initial disclosure
• December 19, 2023: Vulnerability confirmed
• December 21, 2023: Fix for IPv4 integrated to main branch
• January 3, 2024: Fix for IPv6 integrated to main branch
• January 18, 2024: Fixes included in release branches under security maintenance
• March 15, 2024: Advisory published by Zephyr project
• March 19, 2024: Advisory published by Black Duck

About CVSS

FIRST.Org, Inc (FIRST) is a nonprofit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.