CVE-2020-24334
First published: Fri Dec 11 2020(Updated: )
The code that processes DNS responses in uIP through 1.0, as used in Contiki and Contiki-NG, does not check whether the number of responses specified in the DNS packet header corresponds to the response data available in the DNS packet, leading to an out-of-bounds read and Denial-of-Service in resolv.c.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Uip Project Uip | <=1.0 | |
| Contiki-ng Contiki-ng | ||
| Contiki-os Contiki | ||
| Multiple (open source) picoTCP-NG, Version 1.7.0 and prior | ||
| Multiple (open source) picoTCP (EOL), Version 1.7.0 and prior | ||
| Multiple (open source) FNET, Version 4.6.3 | ||
| Multiple (open source) Nut/Net, Version 5.1 and prior |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-24334?
The severity of CVE-2020-24334 is high, with a severity value of 8.2.
What is CVE-2020-24334?
CVE-2020-24334 is a vulnerability in the code that processes DNS responses in uIP through 1.0, leading to an out-of-bounds read and Denial-of-Service in the resolution of DNS names.
Which software is affected by CVE-2020-24334?
The software affected by CVE-2020-24334 is uIP through 1.0, as used in Contiki and Contiki-NG.
How can CVE-2020-24334 be exploited?
CVE-2020-24334 can be exploited by sending a specially crafted DNS response packet with a mismatch between the number of responses specified in the DNS packet header and the response data available, leading to an out-of-bounds read and Denial-of-Service.
Is there a fix for CVE-2020-24334?
A fix for CVE-2020-24334 is not available at the moment. It is recommended to follow the guidelines provided by the software vendor and apply any patches or updates as soon as they become available.
- collector/nvd-index
- agent/first-publish-date
- agent/type
- agent/last-modified-date
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/author
- agent/references
- agent/softwarecombine
- agent/event
- agent/description
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/uip project
- canonical/uip project uip
- version/uip project uip/1.0
- vendor/contiki-ng
- canonical/contiki-ng contiki-ng
- vendor/contiki-os
- canonical/contiki-os contiki
- vendor/multiple (open source)
- canonical/multiple (open source) picotcp-ng, version 1.7.0 and prior
- canonical/multiple (open source) picotcp (eol), version 1.7.0 and prior
- canonical/multiple (open source) fnet, version 4.6.3
- canonical/multiple (open source) nut/net, version 5.1 and prior