CVE-2020-17440
Last modified
CVE-2020-17440 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. The code that parses incoming DNS packets does not validate that domain names present in the DNS responses have '\0' termination. EPSS estimates a 2.76% chance of exploitation in the next 30 days.
Description
An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. The code that parses incoming DNS packets does not validate that domain names present in the DNS responses have '\0' termination. This results in errors when calculating the offset of the pointer that jumps over domain name bytes in DNS response packets when a name lacks this termination, and eventually leads to dereferencing the pointer at an invalid/arbitrary address, within newdata() and parse_name() in resolv.c.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Uip Project | Uip | 1.0 |
References
- https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01Third Party Advisory, US Government Resource
- https://www.kb.cert.org/vuls/id/815128Third Party Advisory, US Government Resource
- https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01Third Party Advisory, US Government Resource
- https://www.kb.cert.org/vuls/id/815128Third Party Advisory, US Government Resource
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-17440?
How severe is CVE-2020-17440?
How do I fix CVE-2020-17440?
Are you affected by CVE-2020-17440?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST