#VU46106 Reachable Assertion in atftp - CVE-2020-6097

Cybersecurity Help s.r.o.

Published: 2020-08-27 | Updated: 2023-09-04

Vulnerability identifier: #VU46106

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-6097

CWE-ID: CWE-617

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
atftp
Web applications / Modules and components for CMS

Vendor: Dennis Kaarsemaker

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion in the atftpd daemon functionality. A remote attacker can use a specially crafted sequence of RRQ-Multicast requests to trigger an assert() call and cause a denial of service conditon on the target system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

atftp: 0.7.git20120829-3.1+b1 - 0.7.4

External links
https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1029

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for atftp

Multiple vulnerabilities in Dell EMC VxRail Appliance

Arch Linux update for atftp

OpenSUSE Linux update for atftp

Multiple vulnerabilities in atftpd daemon