We recently discovered that the latest version of Scapy, a powerful packet manipulation tool used by cybersecurity researchers and network engineers, is susceptible to a Denial of Service (DoS) vulnerability. Ironically, we found this vulnerability while researching ways to better detect and fight DDoS attacks.
Written in the very popular Python coding language, Scapy uses a heuristic algorithm to determine the type of network packet it is inspecting. Because the algorithm relies on port numbers, the packet type can be easily spoofed. In this case, the vulnerability occurs when Scapy is tricked into thinking a network packet is a RADIUS packet. The vulnerability is due to a lack of input validation when reading the length field in the RADIUS packet’s Attribute Value Pairs (AVP). This can cause an infinite loop in the following code section if a certain byte is set to zero:
When Scapy parses a UDP Radius packet that has an AVP with a length byte equal to zero, the getfield function doesn’t shorten the remain value in the while loop. This causes the loop to continue forever, resulting in a Denial of Service (DoS) to Scapy, causing Scapy to crash. This can potentially affect the health of an enterprise network – for instance, if Scapy is being used by IT to monitor network traffic, the monitoring process will stop functioning.
Although this bug was reported and patched, the current Scapy version 2.4.0 available from the Python pip repositories is susceptible to this attack. We tested for this vulnerability using macOS and Ubuntu Linux with both Python 2.7 and Python 3 and found them all vulnerable.
Here is the remote exploit:
Here is the patch:
The solution: clone and build Scapy directly from the github repo:
The current version of Scapy can be DoSed quite easily. The potential impact is large – Scapy is quite a popular tool, and other libraries that depend on Scapy might be vulnerable as well. Networks relying on Scapy for traffic monitoring or other functions can also be affected. If you’re using the affected version of Scapy, or any library that depends on Scapy, we advise you to apply the patch as soon as possible.
Advisory Scapy 2.4.0 – Denial of Services
Authors: Johnathan Azaria and Koby Kilimnik
Vendor url: https://scapy.net/
Status: Patched (but not released to pip repo)
Tested on: macOS sierra 10.12.6 and Ubuntu Linux 16.04
A partial list of libraries with a Scapy dependency that might be affected as well:
- mim-0.2.43 – man in the middle proxy
- ooniprobe-1.3.2 – network analysis tool
- pyersinia-1.0.5 – another network analysis tool
- pysap-0.1.8 – python library that communicates with sap