CVE-2020-17469

Q: What is the severity of CVE-2020-17469?

CVE-2020-17469 is classified as a medium severity vulnerability.

Q: How do I fix CVE-2020-17469?

To fix CVE-2020-17469, update the affected software to the latest version provided by the vendor.

Q: What systems are affected by CVE-2020-17469?

CVE-2020-17469 affects multiple open-source software including FNET, uIP-Contiki-OS, Contiki-NG, and open-iscsi.

Q: What kind of attack can exploit CVE-2020-17469?

CVE-2020-17469 can potentially be exploited through IPv6 fragment reassembly attacks.

Q: Is CVE-2020-17469 a zero-day vulnerability?

CVE-2020-17469 is not a zero-day vulnerability since a patch has been made available.

Published Dec 11, 2020

Updated

An issue was discovered in FNET through 4.6.4. The code for IPv6 fragment reassembly tries to access a previous fragment starting from a network incoming fragment that still doesn't have a reference to the previous one (which supposedly resides in the reassembly list). When faced with an incoming fragment that belongs to a non-empty fragment list, IPv6 reassembly must check that there are no empty holes between the fragments: this leads to an uninitialized pointer dereference in _fnet_ip6_reassembly in fnet_ip6.c, and causes Denial-of-Service.

Affected Software

9 affected components

Butok Fnet<=4.6.4

Multiple (open source) uIP-Contiki-OS (end-of-life [EOL]), Version 3.0 and prior

Multiple (open source) uIP-Contiki-NG, Version 4.5 and prior

Multiple (open source) uIP (EOL), Version 1.0 and prior

Multiple (open source) open-iscsi, Version 2.1.12 and prior

Multiple (open source) picoTCP-NG, Version 1.7.0 and prior

Multiple (open source) picoTCP (EOL), Version 1.7.0 and prior

Multiple (open source) FNET, Version 4.6.3

Multiple (open source) Nut/Net, Version 5.1 and prior

Event History

Dec 11, 2020

CVE Published

via MITRE·10:39 PM

Data Sourced

via MITRE·10:39 PM

Description

Frequently Asked Questions

What is the severity of CVE-2020-17469?

CVE-2020-17469 is classified as a medium severity vulnerability.

How do I fix CVE-2020-17469?

To fix CVE-2020-17469, update the affected software to the latest version provided by the vendor.

What systems are affected by CVE-2020-17469?

CVE-2020-17469 affects multiple open-source software including FNET, uIP-Contiki-OS, Contiki-NG, and open-iscsi.

What kind of attack can exploit CVE-2020-17469?

CVE-2020-17469 can potentially be exploited through IPv6 fragment reassembly attacks.

Is CVE-2020-17469 a zero-day vulnerability?

CVE-2020-17469 is not a zero-day vulnerability since a patch has been made available.

CVSS Score

7.5High

High Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Security Metrics

Risk Score44

Severityhigh(7.5)

CWE

824125

Timeline

PublishedDec 11, 2020

Updated

References

Parent Advisories

ICSA-20-343-01

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.