Login Sign Up

CVE-2020-24338

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

This vulnerability in picoTCP's DNS implementation allows attackers to send specially crafted DNS responses that trigger out-of-bounds writes, potentially leading to denial-of-service or remote code execution. It affects systems using picoTCP library versions through 1.7.0 for network communications. The high CVSS score indicates critical impact potential.

💻 Affected Systems

Products:
  • picoTCP embedded TCP/IP stack
Versions: All versions through 1.7.0
Operating Systems: Any OS using picoTCP library
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any device or application using picoTCP with DNS functionality enabled.

📦 What is this software?

Picotcp by Altran

View all CVEs affecting Picotcp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attacker to execute arbitrary code on vulnerable systems.

🟠

Likely Case

Denial-of-service causing system crashes or instability in affected network services.

🟢

If Mitigated

Limited impact if network segmentation prevents malicious DNS responses from reaching vulnerable systems.

🌐 Internet-Facing: HIGH - Systems exposed to internet DNS traffic are directly vulnerable to attack.
🏢 Internal Only: MEDIUM - Internal systems could be compromised via internal DNS poisoning or malicious internal actors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malicious DNS responses to vulnerable systems, which can be done remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.7.0

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01

Restart Required: Yes

Instructions:

1. Update picoTCP library to version after 1.7.0. 2. Recompile applications using the library. 3. Restart affected services or devices.

🔧 Temporary Workarounds

Disable DNS functionality

all

If DNS is not required, disable DNS client functionality in picoTCP configuration

Modify picoTCP configuration to disable DNS support

Network filtering

all

Block or filter incoming DNS responses at network perimeter

Configure firewall rules to restrict DNS traffic to trusted sources only

🧯 If You Can't Patch

  • Segment network to isolate vulnerable systems from untrusted DNS sources
  • Implement strict firewall rules allowing DNS only from trusted internal resolvers

🔍 How to Verify

Check if Vulnerable:

Check picoTCP library version in use. If version is 1.7.0 or earlier, system is vulnerable.

Check Version:

Check application documentation or build configuration for picoTCP version information

Verify Fix Applied:

Verify picoTCP library version is updated beyond 1.7.0 and applications have been recompiled with updated library.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes, memory corruption errors, abnormal DNS response handling

Network Indicators:

  • Unusual DNS response patterns, malformed DNS packets to vulnerable systems

SIEM Query:

dns AND (response AND malformed OR corruption) OR application_crash AND picoTCP

📊 Metadata

CVE ID: CVE-2020-24338
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: December 11, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24338, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)