CVE-2020-17443

Name of the Vulnerable Software and Affected Versions picoTCP version 1.7.0

Description An issue in picoTCP allows for Denial-of-Service due to memory corruption. This occurs when the code for creating ICMPv6 echo replies does not check if the incoming ICMPv6 echo request packet's size is shorter than 8 bytes, resulting in an integer wrap around during the calculation of the ICMPv6 echo replies' size. The affected function is pico icmp6 send echoreply not frag in pico icmp6.c.

Recommendations For picoTCP version 1.7.0, consider disabling the pico icmp6 send echoreply not frag function in pico icmp6.c to prevent Denial-of-Service attacks until a patch is available. Restrict access to ICMPv6 echo replies to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.