CVE-2020-17437
HIGHuIP < 1.0 - Out-of-bounds Write via TCP Urgent Pointer Handling
Title source: llmDescription
An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. When the Urgent flag is set in a TCP packet, and the stack is configured to ignore the urgent data, the stack attempts to use the value of the Urgent pointer bytes to separate the Urgent data from the normal data, by calculating the offset at which the normal data should be present in the global buffer. However, the length of this offset is not checked; therefore, for large values of the Urgent pointer bytes, the data pointer can point to memory that is way beyond the data buffer in uip_process in uip.c.
References (3)
Core 3
Core References
Third Party Advisory, US Government Resource x_refsource_misc
https://www.kb.cert.org/vuls/id/815128
Third Party Advisory, US Government Resource x_refsource_misc
https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01
Patch, Third Party Advisory x_refsource_confirm
https://cert-portal.siemens.com/productcert/pdf/ssa-541018.pdf
Scores
CVSS v3
8.2
EPSS
0.0026
EPSS Percentile
49.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Details
CWE
CWE-787
Status
published
Products (11)
open-iscsi_project/open-iscsi
< 2.1.7
siemens/sentron_3va_com100_firmware
< 4.4.1
siemens/sentron_3va_com800_firmware
< 4.4.1
siemens/sentron_3va_dsp800_firmware
< 4.0
siemens/sentron_pac2200_clp_firmware
siemens/sentron_pac2200_firmware
< 3.2.2
siemens/sentron_pac3200_firmware
< 2.4.7
siemens/sentron_pac3200t_firmware
< 3.2.2
siemens/sentron_pac3220_firmware
< 3.2.0
siemens/sentron_pac4200_firmware
< 2.3.0
... and 1 more
Published
Dec 11, 2020
Tracked Since
Feb 18, 2026