First published: Fri Dec 11 2020(Updated: )
The code that processes DNS responses in uIP through 1.0, as used in Contiki and Contiki-NG, does not check whether the number of responses specified in the DNS packet header corresponds to the response data available in the DNS packet, leading to an out-of-bounds read and Denial-of-Service in resolv.c.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Uip Project Uip | <=1.0 | |
Contiki-ng Contiki-ng | ||
Contiki-os Contiki | ||
Multiple (open source) picoTCP-NG, Version 1.7.0 and prior | ||
Multiple (open source) picoTCP (EOL), Version 1.7.0 and prior | ||
Multiple (open source) FNET, Version 4.6.3 | ||
Multiple (open source) Nut/Net, Version 5.1 and prior |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2020-24334 is high, with a severity value of 8.2.
CVE-2020-24334 is a vulnerability in the code that processes DNS responses in uIP through 1.0, leading to an out-of-bounds read and Denial-of-Service in the resolution of DNS names.
The software affected by CVE-2020-24334 is uIP through 1.0, as used in Contiki and Contiki-NG.
CVE-2020-24334 can be exploited by sending a specially crafted DNS response packet with a mismatch between the number of responses specified in the DNS packet header and the response data available, leading to an out-of-bounds read and Denial-of-Service.
A fix for CVE-2020-24334 is not available at the moment. It is recommended to follow the guidelines provided by the software vendor and apply any patches or updates as soon as they become available.