CVE-2020-17440 — HIGH (7.5)

Vulnerability Description

An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. The code that parses incoming DNS packets does not validate that domain names present in the DNS responses have '\0' termination. This results in errors when calculating the offset of the pointer that jumps over domain name bytes in DNS response packets when a name lacks this termination, and eventually leads to dereferencing the pointer at an invalid/arbitrary address, within newdata() and parse_name() in resolv.c.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Uip Project	Uip	1.0
Contiki-Os	Contiki	3.0

References

https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01Third Party AdvisoryUS Government Resource
https://www.kb.cert.org/vuls/id/815128Third Party AdvisoryUS Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01Third Party AdvisoryUS Government Resource
https://www.kb.cert.org/vuls/id/815128Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2020-17440?

CVE-2020-17440 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. The code that parses incoming DNS packets does not validate that domain names present in the DNS responses have '\0' term...

How severe is CVE-2020-17440?

CVE-2020-17440 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-17440?

Check the references section above for vendor advisories and patch information. Affected products include: Uip Project Uip, Contiki-Os Contiki.