PT-2021-11319 · Eclipse · Eclipse Californium

Achim Kraus

Published

2021-02-03

Updated

2021-02-09

CVE-2020-27222

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: Eclipse Californium versions 2.3.0 through 2.6.0

Description: The certificate-based DTLS handshakes in Eclipse Californium accidentally fail due to the server sticking to a wrong internal state. This wrong internal state is set by a previous certificate-based DTLS handshake failure with TLS parameter mismatch, allowing clients to force a Denial of Service (DoS). The server must be restarted to recover from this state.

Recommendations: For Eclipse Californium versions 2.3.0 through 2.6.0, restart the DTLS server to recover from the wrong internal state and prevent Denial of Service (DoS) attacks. As a temporary workaround, consider implementing measures to prevent repeated certificate-based DTLS handshake failures with TLS parameter mismatch.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-372

Related Identifiers

CVE-2020-27222

Affected Products

Eclipse Californium

PT-2021-11319 · Eclipse · Eclipse Californium

CVE-2020-27222

Weakness Enumeration

Related Identifiers

Affected Products

References · 7