JFrog Security Research

XRAY-194045 - InterNiche DNS client heap overflow

CVE-2020-25928 | CVSS 9.8

JFrog Severity:critical

Published 4 Aug. 2021 | Last updated 4 Aug. 2021

Heap overflow in InterNiche TCP/IP stack's DNS client leads to remote code execution when sending a crafted DNS response

InterNiche TCP/IP stack

InterNiche (, 4.3), fixed in 4.3

NicheStack (also known as InterNiche stack) is a proprietary TCP/IP stack developed originally by InterNiche Technologies and acquired by HCC Embedded in 2016. A heap-based buffer overflow was discovered when the NicheStack DNS client parses DNS response packets. To trigger CVE-2020-25928, an attacker sends a crafted DNS packet as a response to a DNS query from the vulnerable device. A response with a big "response data length" field will cause a heap overflow due to a fixed-size heap buffer copy. This is easy to achieve because the DNS TXID and UDP source port can be guessed due to CVE-2020-25926 and CVE-2021-31228, respectively, and the affected DNS client implementation does not validate the source IP address of the response packet (so the attacker does not even need to know the address of the real DNS server). Note that the DNS client is optional, and may be disabled or compiled-out entirely.

No PoC is supplied for this issue

If not needed, disable the NicheStack DNS client through the NicheStack CLI

(JFrog) INFRA:HALT New Vulnerabilities Impacting OT and Critical Infrastructure