Login Sign Up

CVE-2020-17528

9.1 CRITICAL
Denial of Service

📋 TL;DR

This vulnerability allows attackers to perform out-of-bounds writes in Apache NuttX's TCP stack by supplying malicious urgent data pointer offsets in TCP packets. This can lead to memory corruption, potentially enabling remote code execution or denial of service. All systems running Apache NuttX versions up to and including 9.1.0 and 10.0.0 are affected.

💻 Affected Systems

Products:
  • Apache NuttX (incubating)
Versions: All versions up to and including 9.1.0 and 10.0.0
Operating Systems: Any OS running Apache NuttX
Default Config Vulnerable: ⚠️ Yes
Notes: All configurations using TCP networking are vulnerable

📦 What is this software?

Nuttx by Apache

View all CVEs affecting Nuttx →

Nuttx by Apache

View all CVEs affecting Nuttx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root/system privileges leading to complete system compromise

🟠

Likely Case

Denial of service through system crashes or memory corruption leading to instability

🟢

If Mitigated

Limited impact if network segmentation prevents external access to vulnerable systems

🌐 Internet-Facing: HIGH - Exploitable remotely via TCP packets without authentication
🏢 Internal Only: HIGH - Exploitable from any network segment with access to vulnerable systems

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting TCP packets with malicious urgent data pointer offsets

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 9.1.0 and 10.0.0

Vendor Advisory: https://lists.apache.org/thread.html/r7f4215aba288660b41b7e731b6262c8275fa476e91e527a74d2888ea%40%3Cdev.nuttx.apache.org%3E

Restart Required: Yes

Instructions:

1. Update Apache NuttX to a version after 9.1.0/10.0.0
2. Recompile and redeploy the operating system
3. Restart affected systems

🔧 Temporary Workarounds

Disable TCP urgent data processing

all

Modify NuttX configuration to disable processing of TCP urgent data pointers

Edit nuttx/.config and set CONFIG_NET_TCPURGDATA=n

Network segmentation

all

Isolate vulnerable systems from untrusted networks

🧯 If You Can't Patch

  • Implement strict network access controls to limit TCP traffic to trusted sources only
  • Deploy network-based intrusion prevention systems to detect and block malicious TCP packets

🔍 How to Verify

Check if Vulnerable:

Check NuttX version with 'uname -a' or examine build configuration for version numbers

Check Version:

uname -a | grep -i nuttx

Verify Fix Applied:

Verify NuttX version is newer than 9.1.0/10.0.0 and check that CONFIG_NET_TCPURGDATA is disabled if using workaround

📡 Detection & Monitoring

Log Indicators:

  • System crashes
  • Memory corruption errors
  • TCP connection anomalies

Network Indicators:

  • TCP packets with unusual urgent data pointer offsets
  • Malformed TCP packets targeting NuttX systems

SIEM Query:

source="network_traffic" AND tcp_flags.urg=1 AND (tcp_urgent_pointer > packet_length OR tcp_urgent_pointer < 0)

📊 Metadata

CVE ID: CVE-2020-17528
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-787
Published: December 9, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17528, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)