Vulnerability Description
An issue was discovered in FNET through 4.6.4. The code for processing the hostname from an LLMNR request doesn't check for '\0' termination. Therefore, the deduced length of the hostname doesn't reflect the correct length of the actual data. This may lead to Information Disclosure in _fnet_llmnr_poll in fnet_llmnr.c during a response to a malicious request of the DNS class IN.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Butok | Fnet | <= 4.6.4 |
Related Weaknesses (CWE)
References
- http://fnet.sourceforge.net/manual/fnet_history.htmlRelease NotesThird Party Advisory
- https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01Third Party AdvisoryUS Government Resource
- https://www.kb.cert.org/vuls/id/815128Third Party AdvisoryUS Government Resource
- http://fnet.sourceforge.net/manual/fnet_history.htmlRelease NotesThird Party Advisory
- https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01Third Party AdvisoryUS Government Resource
- https://www.kb.cert.org/vuls/id/815128Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2020-17467?
CVE-2020-17467 is a vulnerability with a CVSS score of 9.1 (CRITICAL). An issue was discovered in FNET through 4.6.4. The code for processing the hostname from an LLMNR request doesn't check for '\0' termination. Therefore, the deduced length of the hostname doesn't refl...
How severe is CVE-2020-17467?
CVE-2020-17467 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-17467?
Check the references section above for vendor advisories and patch information. Affected products include: Butok Fnet.