Login Sign Up

CVE-2020-17445

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in picoTCP 1.7.0 allows attackers to cause an out-of-bounds read when processing IPv6 destination options due to insufficient length validation. This can lead to denial-of-service conditions in systems using this TCP/IP stack. Affected systems include embedded devices, IoT devices, and industrial control systems that use picoTCP.

💻 Affected Systems

Products:
  • picoTCP
Versions: 1.7.0
Operating Systems: Any OS using picoTCP library
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with IPv6 enabled and using picoTCP stack. Many embedded/IoT devices use this lightweight TCP/IP implementation.

📦 What is this software?

Picotcp by Altran

View all CVEs affecting Picotcp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash or reboot leading to sustained denial-of-service, potentially allowing further exploitation if memory corruption leads to code execution.

🟠

Likely Case

Denial-of-service causing device/system instability or crashes when processing malicious IPv6 packets.

🟢

If Mitigated

Limited impact with proper network segmentation and filtering, potentially causing temporary service disruption.

🌐 Internet-Facing: MEDIUM - Requires IPv6 connectivity and ability to send crafted packets to affected systems.
🏢 Internal Only: LOW - Requires internal network access and IPv6 connectivity to vulnerable systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted IPv6 packets to vulnerable systems. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.1 or later

Vendor Advisory: https://github.com/tass-belgium/picotcp

Restart Required: Yes

Instructions:

1. Update picoTCP library to version 1.7.1 or later. 2. Recompile applications using the library. 3. Restart affected systems/services.

🔧 Temporary Workarounds

Disable IPv6

linux

Disable IPv6 functionality if not required

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

Network Filtering

linux

Block IPv6 destination option packets at network perimeter

iptables -A INPUT -p ipv6 --destination-options -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable systems
  • Deploy network intrusion prevention systems to detect and block malicious IPv6 packets

🔍 How to Verify

Check if Vulnerable:

Check picoTCP library version in use. If version is 1.7.0, system is vulnerable.

Check Version:

Check application/library documentation or build configuration for picoTCP version

Verify Fix Applied:

Verify picoTCP library version is 1.7.1 or later after update.

📡 Detection & Monitoring

Log Indicators:

  • System crashes
  • Unexpected reboots
  • Network stack errors

Network Indicators:

  • Malformed IPv6 packets with destination options
  • Unusual IPv6 traffic to embedded devices

SIEM Query:

source="network_firewall" dest_port=* proto=ipv6 dest_options=*

📊 Metadata

CVE ID: CVE-2020-17445
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-125
Published: December 11, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17445, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)