First published: Fri Dec 11 2020(Updated: )
An issue was discovered in FNET through 4.6.4. The code that initializes the DNS client interface structure does not set sufficiently random transaction IDs (they are always set to 1 in _fnet_dns_poll in fnet_dns.c). This significantly simplifies DNS cache poisoning attacks.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
<=4.6.4 | ||
butok FNET | <=4.6.4 | |
Contiki OS | ||
Contiki-NG | ||
uIP | ||
SUSE Open-iSCSI | ||
altran picoTCP-NG | ||
picoTCP | ||
butok FNET | ||
Nut/Net |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2020-17470 is considered to be high due to its impact on DNS cache poisoning attacks.
To fix CVE-2020-17470, update FNET to version 4.6.5 or later where the random transaction ID issue has been addressed.
CVE-2020-17470 affects FNET versions up to 4.6.4 and several other open source networking software including uIP, Contiki, and open-iscsi.
CVE-2020-17470 exploits the lack of randomness in DNS transaction IDs, making it easier for attackers to perform DNS cache poisoning.
There are no recommended workarounds for CVE-2020-17470; the best mitigation is to apply the available software update.