Summary
Traceroute responses from the remote node are not rate limited.
Details
Given that there are SNR measurements attributed to each received transmission, this is a guaranteed way to get a remote station to reliably and continuously respond. You could easily get 100 samples in a short amount of time (estimated 2 minutes), whereas passively doing the same could take hours or days.
There are secondary effects that non-ratelimited traceroute does also allow a 2:1 reflected DoS of the network as well, but these concerns are less than the problem with positional confidentiality (other DoS routes exist).
PoC
In Meshtastic app, just keep tracerouting destination node. Or script the python API with a simple bash script to repeatedly send out traceroute requests to target node.
Impact
Only those with the same AES key, spread factor, code rate, frequency, and bandwidth can be actively interrogated with traceroute-spam. This does mean that all the presets with default AQ== key are subject to this attack.
CVSS estimation
I estimate this as a CVSS 3.1 as score 8.0 [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:X/RC:X]
(note: github doesn't like this CVSS 3.1 string for parsing purposes)
I marked confidentiality as high, because this greatly affects node position confidentiality. Being able to reliably have a node communicate at will allows a easily implementable repeatable way to determine location, even if the node operator does not have location sharing enabled.
I marked availability as a low, since this does provide a way to easily DoS the network by reflecting an attack against another node (and its response). However there are other ways that one can DoS meshtastic networks, so marked as low.
jwcrawley Reporter
thebentern Remediation developer
GUVWAF Remediation reviewer
garthvh Coordinator
Summary
Traceroute responses from the remote node are not rate limited.
Details
Given that there are SNR measurements attributed to each received transmission, this is a guaranteed way to get a remote station to reliably and continuously respond. You could easily get 100 samples in a short amount of time (estimated 2 minutes), whereas passively doing the same could take hours or days.
There are secondary effects that non-ratelimited traceroute does also allow a 2:1 reflected DoS of the network as well, but these concerns are less than the problem with positional confidentiality (other DoS routes exist).
PoC
In Meshtastic app, just keep tracerouting destination node. Or script the python API with a simple bash script to repeatedly send out traceroute requests to target node.
Impact
Only those with the same AES key, spread factor, code rate, frequency, and bandwidth can be actively interrogated with traceroute-spam. This does mean that all the presets with default AQ== key are subject to this attack.
CVSS estimation
I estimate this as a CVSS 3.1 as score 8.0 [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:X/RC:X]
(note: github doesn't like this CVSS 3.1 string for parsing purposes)
I marked confidentiality as high, because this greatly affects node position confidentiality. Being able to reliably have a node communicate at will allows a easily implementable repeatable way to determine location, even if the node operator does not have location sharing enabled.
I marked availability as a low, since this does provide a way to easily DoS the network by reflecting an attack against another node (and its response). However there are other ways that one can DoS meshtastic networks, so marked as low.