CVE-2020-17437

Name of the Vulnerable Software and Affected Versions uIP version 1.0 Contiki version 3.0

Description An issue was discovered in uIP, as used in Contiki and other products. When the Urgent flag is set in a TCP packet, and the stack is configured to ignore the urgent data, the stack attempts to use the value of the Urgent pointer bytes to separate the Urgent data from the normal data. However, the length of this offset is not checked, allowing the data pointer to point to memory beyond the data buffer in uip process in uip.c. This can lead to a buffer overflow, potentially causing a denial of service.

Recommendations For uIP version 1.0, consider disabling the uip process function until a patch is available to prevent potential exploitation. For Contiki version 3.0, restrict access to the uip.c module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.