CVE-2020-24334 - OpenCVE

The code that processes DNS responses in uIP through 1.0, as used in Contiki and Contiki-NG, does not check whether the number of responses specified in the DNS packet header corresponds to the response data available in the DNS packet, leading to an out-of-bounds read and Denial-of-Service in resolv.c.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Contiki-ng	Contiki-ng
Contiki-os	Contiki
Uip Project	Uip

Configuration 1 [-]

AND

cpe:2.3:a:uip_project:uip:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:contiki-ng:contiki-ng:-:::::::*
	cpe:2.3:o:contiki-os:contiki:-:::::::*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01
https://www.kb.cert.org/vuls/id/815128

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-12-11T22:42:04

Updated: 2024-08-04T15:12:09.009Z

Reserved: 2020-08-13T00:00:00

Link: CVE-2020-24334

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-12-11T23:15:13.807

Modified: 2020-12-15T15:03:31.877

Link: CVE-2020-24334

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-12-08T00:00:00", "descriptions": [{"lang": "en", "value": "The code that processes DNS responses in uIP through 1.0, as used in Contiki and Contiki-NG, does not check whether the number of responses specified in the DNS packet header corresponds to the response data available in the DNS packet, leading to an out-of-bounds read and Denial-of-Service in resolv.c."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-11T22:42:04", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.kb.cert.org/vuls/id/815128"}, {"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-24334", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The code that processes DNS responses in uIP through 1.0, as used in Contiki and Contiki-NG, does not check whether the number of responses specified in the DNS packet header corresponds to the response data available in the DNS packet, leading to an out-of-bounds read and Denial-of-Service in resolv.c."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.kb.cert.org/vuls/id/815128", "refsource": "MISC", "url": "https://www.kb.cert.org/vuls/id/815128"}, {"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:12:09.009Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.kb.cert.org/vuls/id/815128"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-24334", "datePublished": "2020-12-11T22:42:04", "dateReserved": "2020-08-13T00:00:00", "dateUpdated": "2024-08-04T15:12:09.009Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uip_project:uip:*:*:*:*:*:*:*:*", "matchCriteriaId": "98518C5F-7D0A-4B03-A062-651E613A01BE", "versionEndIncluding": "1.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:contiki-ng:contiki-ng:-:*:*:*:*:*:*:*", "matchCriteriaId": "DF2ECFDA-80E0-47DE-BB68-607CEB508140", "vulnerable": false}, {"criteria": "cpe:2.3:o:contiki-os:contiki:-:*:*:*:*:*:*:*", "matchCriteriaId": "E5C40C6C-27AC-423A-8975-11C4290C4904", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The code that processes DNS responses in uIP through 1.0, as used in Contiki and Contiki-NG, does not check whether the number of responses specified in the DNS packet header corresponds to the response data available in the DNS packet, leading to an out-of-bounds read and Denial-of-Service in resolv.c."}, {"lang": "es", "value": "El c\u00f3digo que procesa las respuestas DNS en uIP versiones hasta 1.0, como es usado en Contiki y Contiki-NG, no verifica si el n\u00famero de respuestas especificadas en el encabezado del paquete DNS corresponde a los datos de respuesta disponibles en el paquete DNS, lo que conlleva a una lectura fuera de l\u00edmites y una Denegaci\u00f3n de Servicio en el archivo resolv.c"}], "id": "CVE-2020-24334", "lastModified": "2020-12-15T15:03:31.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-11T23:15:13.807", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/815128"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}