CVE-2020-17439: Input Validation
First published: Fri Dec 11 2020(Updated: )
An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. The code that parses incoming DNS packets does not validate that the incoming DNS replies match outgoing DNS queries in newdata() in resolv.c. Also, arbitrary DNS replies are parsed if there was any outgoing DNS query with a transaction ID that matches the transaction ID of an incoming reply. Provided that the default DNS cache is quite small (only four records) and that the transaction ID has a very limited set of values that is quite easy to guess, this can lead to DNS cache poisoning.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Uip Project Uip | =1.0 | |
| Contiki-os Contiki | =3.0 | |
| Multiple (open source) picoTCP-NG, Version 1.7.0 and prior | ||
| Multiple (open source) picoTCP (EOL), Version 1.7.0 and prior | ||
| Multiple (open source) FNET, Version 4.6.3 | ||
| Multiple (open source) Nut/Net, Version 5.1 and prior |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-17439?
CVE-2020-17439 is a vulnerability discovered in uIP 1.0, as used in Contiki 3.0 and other products, that allows arbitrary DNS replies to be parsed if there was any outgoing DNS query.
What is the severity of CVE-2020-17439?
The severity of CVE-2020-17439 is high, with a severity value of 8.3.
How does CVE-2020-17439 impact users?
CVE-2020-17439 allows for arbitrary DNS replies to be parsed, which could potentially lead to DNS spoofing or other malicious activities.
What is the affected software?
The affected software includes uIP 1.0 as used in Contiki 3.0 and other products.
Is there a fix for CVE-2020-17439?
Currently, there are no known fixes for CVE-2020-17439. It is recommended to follow the mitigation steps provided by the vendor or refer to the provided references for any updates.
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/author
- agent/references
- agent/softwarecombine
- agent/tags
- agent/event
- agent/description
- collector/mitre-cve
- source/MITRE
- vendor/uip project
- canonical/uip project uip
- version/uip project uip/1.0
- vendor/contiki-os
- canonical/contiki-os contiki
- version/contiki-os contiki/3.0
- vendor/multiple (open source)
- canonical/multiple (open source) picotcp-ng, version 1.7.0 and prior
- canonical/multiple (open source) picotcp (eol), version 1.7.0 and prior
- canonical/multiple (open source) fnet, version 4.6.3
- canonical/multiple (open source) nut/net, version 5.1 and prior