First published: Fri Dec 11 2020(Updated: )
An issue was discovered in Contiki through 3.0 and Contiki-NG through 4.5. The code for parsing Type A domain name answers in ip64-dns64.c doesn't verify whether the address in the answer's length is sane. Therefore, when copying an address of an arbitrary length, a buffer overflow can occur. This bug can be exploited whenever NAT64 is enabled.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Contiki-ng Contiki-ng | <=4.5 | |
Contiki-os Contiki | <=3.0 | |
Multiple (open source) picoTCP-NG, Version 1.7.0 and prior | ||
Multiple (open source) picoTCP (EOL), Version 1.7.0 and prior | ||
Multiple (open source) FNET, Version 4.6.3 | ||
Multiple (open source) Nut/Net, Version 5.1 and prior |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-24336 is a vulnerability in Contiki and Contiki-NG that can lead to buffer overflow due to improper verification in parsing domain name answers.
CVE-2020-24336 has a severity score of 9.8 (Critical).
Contiki versions up to 3.0 and Contiki-NG versions up to 4.5 are affected by CVE-2020-24336.
CVE-2020-24336 is associated with the CWE IDs 119 and 120.
To fix CVE-2020-24336, it is recommended to update to a patched version of Contiki or Contiki-NG.