CVE-2020-27631
Published Oct 10, 2023
·Updated
In Oryx CycloneTCP 1.9.6, TCP ISNs are improperly random.
Affected Software
14 affected components
Oryx-embedded Cyclonetcp=1.9.6
Multiple Nut/Net, Version 5.1 and prior
Multiple CycloneTCP, Version 1.9.6 and prior
Multiple NDKTCPIP, Version 2.25 and prior
Multiple FNET, Version 4.6.3
Multiple uIP-Contiki-OS (end-of-life [EOL]), Version 3.0 and prior
Multiple uC/TCP-IP (EOL), Version 3.6.0 and prior
Multiple uIP-Contiki-NG, Version 4.5 and prior
Multiple uIP (EOL), Version 1.0 and prior
Multiple picoTCP-NG, Version 1.7.0 and prior
Multiple picoTCP (EOL), Version 1.7.0 and prior
Multiple MPLAB Net, Version 3.6.1 and prior
Multiple Nucleus NET, All versions prior to Version 5.2
Multiple Nucleus ReadyStart for ARM, MIPS, and PPC, All versions prior to Version 2012.12
Event History
Oct 10, 2023
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Frequently Asked Questions
1
What is the severity of CVE-2020-27631?
CVE-2020-27631 is considered a high severity vulnerability due to the improper randomness of TCP Initial Sequence Numbers.
2
How do I fix CVE-2020-27631?
To mitigate CVE-2020-27631, update to a version of CycloneTCP that has addressed the ISN generation issue.
3
What types of software are affected by CVE-2020-27631?
CVE-2020-27631 affects Oryx CycloneTCP 1.9.6 and several other TCP/IP stacks including various versions of Nut/Net, NDKTCPIP, and uIP.
4
What is the impact of exploiting CVE-2020-27631?
Exploiting CVE-2020-27631 can allow attackers to predict the TCP sequence numbers, leading to potential session hijacking or man-in-the-middle attacks.
5
Are there any workarounds for CVE-2020-27631?
As of now, updating to a patched version is the primary way to mitigate CVE-2020-27631, as there are no effective workarounds.