CVE-2020-6097 – This vulnerability allows remote attackers to c... (How to Fix)

Q: What is the severity of CVE-2020-6097?

CVE-2020-6097 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to cause denial of service in atftpd servers by sending specially crafted RRQ-Multicast requests that trigger an assert() call, crashing the daemon. It affects systems running vulnerable versions of atftp 0.7.git20120829-3.1+b1. Organizations using atftpd for TFTP services are impacted.

📋 TL;DR

This vulnerability allows remote attackers to cause denial of service in atftpd servers by sending specially crafted RRQ-Multicast requests that trigger an assert() call, crashing the daemon. It affects systems running vulnerable versions of atftp 0.7.git20120829-3.1+b1. Organizations using atftpd for TFTP services are impacted.

💻 Affected Systems

Products:

atftp

Versions: 0.7.git20120829-3.1+b1 and earlier

Operating Systems: Linux distributions including Debian, Ubuntu, openSUSE

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects atftpd daemon when running; systems not using atftpd or with it disabled are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of TFTP services, potentially affecting network boot processes, configuration file transfers, or firmware updates that rely on atftpd.

🟠

Likely Case

Service outage of atftpd daemon requiring manual restart, disrupting TFTP-dependent operations until recovery.

🟢

If Mitigated

Minimal impact if atftpd is not internet-facing and network access is restricted; service interruption limited to internal network segments.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious RRQ-Multicast packets to the atftpd service port (typically UDP 69).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in atftp 0.7.git20120829-3.1+b2 and later

Vendor Advisory: http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00058.html

Restart Required: Yes

Instructions:

1. Update atftp package using system package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade atftp. 3. For openSUSE: sudo zypper update atftp. 4. Restart atftpd service or reboot system.

🔧 Temporary Workarounds

Disable atftpd Service

linux

Stop and disable the atftpd daemon if TFTP services are not required.

sudo systemctl stop atftpd
sudo systemctl disable atftpd

Network Access Control

linux

Restrict network access to atftpd using firewall rules to limit exposure.

sudo iptables -A INPUT -p udp --dport 69 -s trusted_network -j ACCEPT
sudo iptables -A INPUT -p udp --dport 69 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate atftpd servers from untrusted networks.
Deploy intrusion detection/prevention systems to monitor for RRQ-Multicast attack patterns.

🔍 How to Verify

Check if Vulnerable:

Check atftp version: dpkg -l | grep atftp or rpm -q atftp. If version is 0.7.git20120829-3.1+b1 or earlier, system is vulnerable.

Check Version:

dpkg -l | grep atftp  # Debian/Ubuntu
rpm -q atftp  # RHEL/CentOS/SUSE
apt-cache policy atftp  # Alternative Debian/Ubuntu

Verify Fix Applied:

After update, verify version is 0.7.git20120829-3.1+b2 or later using same command. Test TFTP functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

atftpd crash logs
assert() failure messages in system logs
unexpected daemon termination

Network Indicators:

Multiple RRQ-Multicast packets from single source
UDP traffic on port 69 with abnormal request patterns

SIEM Query:

source="atftpd.log" AND ("assert" OR "crash" OR "terminated")

📊 Metadata

CVE ID: CVE-2020-6097

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

Published: September 10, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00058.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00014.html Mailing List,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029 Exploit,Technical Description,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00058.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00014.html Mailing List,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6097, you might also want to check these: