CVE-2014-4883

Name of the Vulnerable Software and Affected Versions lwIP versions 1.4.1 and earlier uIP (affected versions not specified)

Description The issue concerns the DNS resolver in uIP and lwIP, where the resolv.c and dns.c files do not utilize random values for ID fields and source ports of DNS query packets. This oversight facilitates man-in-the-middle attacks, as attackers can conduct cache-poisoning attacks via spoofed reply packets.

Recommendations For lwIP versions 1.4.1 and earlier, consider updating to a version that incorporates randomization for ID fields and source ports in DNS queries. For uIP, at the moment, there is no information about a newer version that contains a fix for this vulnerability.