Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. The code that parses incoming DNS packets does not validate that domain names present in the DNS responses have '\0' termination. This results in errors when calculating the offset of the pointer that jumps over domain name bytes in DNS response packets when a name lacks this termination, and eventually leads to dereferencing the pointer at an invalid/arbitrary address, within newdata() and parse_name() in resolv.c.
AnalysisAI
An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. The code that parses incoming DNS packets does not validate that domain names present in the DNS responses have '\0' termination. This results in errors when calculating the offset of the pointer that jumps over domain name bytes in DNS response packets when a name lacks this termination, and eventually leads to dereferencing the pointer at an invalid/arbitrary address, within newdata() and parse_name() in resolv.c. Affected products include: Uip Project Uip.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. Rated critical severity (CVSS 9.8), this
An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. Rated high severity (CVSS 8.3), this vuln
The code that processes DNS responses in uIP through 1.0, as used in Contiki and Contiki-NG, does not check whether the
An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. Rated high severity (CVSS 8.2), this vuln
An issue was discovered in Contiki through 3.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab
Share
External POC / Exploit Code
Leaving vuln.today