CVE-2020-15795

Name of the Vulnerable Software and Affected Versions APOGEE PXC Compact (BACnet) versions prior to V3.5.5 APOGEE PXC Compact (P2 Ethernet) versions prior to V2.8.20 APOGEE PXC Modular (BACnet) versions prior to V3.5.5 APOGEE PXC Modular (P2 Ethernet) versions prior to V2.8.20 Nucleus NET versions prior to V5.2 Nucleus Source Code versions including affected DNS modules TALON TC Compact (BACnet) versions prior to V3.5.5 TALON TC Modular (BACnet) versions prior to V3.5.5

Description The issue is related to the DNS domain name label parsing functionality, which does not properly validate names in DNS responses. This can lead to a write past the end of an allocated structure when parsing malformed responses. An attacker with a privileged network position could exploit this to execute code in the context of the current process or cause a denial-of-service condition. The vulnerability is also associated with a buffer overflow in the Nucleus NET TCP/IP stack's DNS domain name labeling function, which could allow a remote attacker to execute arbitrary code.

Recommendations For APOGEE PXC Compact (BACnet) versions prior to V3.5.5, update to version V3.5.5 or later. For APOGEE PXC Compact (P2 Ethernet) versions prior to V2.8.20, update to version V2.8.20 or later. For APOGEE PXC Modular (BACnet) versions prior to V3.5.5, update to version V3.5.5 or later. For APOGEE PXC Modular (P2 Ethernet) versions prior to V2.8.20, update to version V2.8.20 or later. For Nucleus NET versions prior to V5.2, update to version V5.2 or later. For Nucleus Source Code versions including affected DNS modules, ensure to update or modify the DNS modules to a version that is not affected by the vulnerability. For TALON TC Compact (BACnet) versions prior to V3.5.5, update to version V3.5.5 or later. For TALON TC Modular (BACnet) versions prior to V3.5.5, update to version V3.5.5 or later.