CVE-2020-25928

Name of the Vulnerable Software and Affected Versions InterNiche NicheStack TCP/IP version 4.0.1

Description The issue is related to errors in processing input data length parameters in the DNS client of InterNiche NicheStack TCP/IP. Exploitation of this issue may allow a remote attacker to execute arbitrary code. The component affected is the DNS response processing functions, including dns upcall(), getoffset(), and dnc set answer(). The attack vector is a specific DNS response packet. The code does not check the response data length field of individual DNS answers, which may cause out-of-bounds read/write operations, leading to information leak, denial of service, or remote code execution, depending on the context.

Recommendations For InterNiche NicheStack TCP/IP version 4.0.1, consider disabling the DNS response processing functions, specifically dns upcall(), getoffset(), and dnc set answer(), until a patch is available. Restrict access to the DNS feature to minimize the risk of exploitation. Avoid using the response data length field in individual DNS answers until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.