Login Sign Up

CVE-2017-1000020

9.8 CRITICAL
Authentication Bypass Denial of Service

📋 TL;DR

This vulnerability allows attackers to bypass authentication on eCos embedded web servers by sending SYN or FIN flood packets, leading to complete device takeover. It affects multiple routers and home devices from manufacturers like TOTOLINK and GREATEK. The attack can be executed remotely or locally without authentication.

💻 Affected Systems

Products:
  • TOTOLINK routers
  • GREATEK routers
  • Other SOHO routers using eCos embedded web servers
Versions: eCos 1 and other versions
Operating Systems: eCos embedded operating system
Default Config Vulnerable: ⚠️ Yes
Notes: Affects embedded devices with eCos web servers, particularly SOHO routers from multiple manufacturers

📦 What is this software?

Embedded Web Servers by Ecos

View all CVEs affecting Embedded Web Servers →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete remote device takeover allowing attacker to reconfigure device, intercept traffic, or use device as part of botnet

🟠

Likely Case

Unauthorized access to device administration interface leading to configuration changes and network compromise

🟢

If Mitigated

Limited impact if devices are behind firewalls with flood protection and network segmentation

🌐 Internet-Facing: HIGH - Directly exposed devices can be attacked remotely without authentication
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires sending flood packets which is straightforward with common network tools

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://ecos.sourceware.org/ecos/problemreport.html

Restart Required: No

Instructions:

Check with device manufacturers for firmware updates. No official patch available from eCos project.

🔧 Temporary Workarounds

Network Flood Protection

linux

Implement SYN flood protection on network devices

iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

Network Segmentation

all

Isolate vulnerable devices from untrusted networks

🧯 If You Can't Patch

  • Replace affected devices with updated models from manufacturers
  • Implement strict network access controls and monitor for flood attacks

🔍 How to Verify

Check if Vulnerable:

Check device firmware version and manufacturer. Test with controlled SYN/FIN flood while monitoring authentication behavior.

Check Version:

Check device web interface or manufacturer documentation for firmware version

Verify Fix Applied:

Verify with manufacturers that updated firmware addresses the vulnerability. Test flood protection mechanisms.

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication bypass events
  • Multiple failed login attempts followed by successful access
  • SYN/FIN flood patterns in network logs

Network Indicators:

  • High volume of SYN/FIN packets to device management ports
  • Unauthorized access to device management interfaces

SIEM Query:

source_ip=* dest_ip=[device_ip] (tcp_flags="SYN" OR tcp_flags="FIN") count>1000 per 10s

📊 Metadata

CVE ID: CVE-2017-1000020
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: July 17, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-1000020, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2019-1867 10.0

This vulnerability allows unauthenticated remote attackers to bypass authentication on Cisco Elastic...

Same vulnerability type (CWE-287)