- CVE-2020-11896 and CVE-2020-11907 can be mitigated by inspection of IP fragments and rejection of anomalous IP fragment traffic to prevent abuse. If IP fragmenting is not supported, you may also block IP fragmented packets entirely as a protective precaution.
- CVE-2020-11897 and CVE-2020-11909 can be mitigated by blocking various IP source routing, including IPv6 source routing - Routing Header Type 0 that has been deprecated by RFC-5095, see also VU#267289
- CVE-2020-11898, CVE-202-11900 and CVE‑2020‑11902 can be mitigated by disabling or blocking IP-in-IP tunneling if is not supported or required in your environment. More information can be found here VU#636397
- CVE-2020-11899 can be mitigated by dropping IPv6 packets addressed to multicast destination ff00::/8
- CVE-2020-11901 can be mitigated by normalizing DNS responses through DNS deep packet inspection or by a secure DNS recursion server.
- CVE‑2020‑11903 and CVE‑2020‑11905 can be mitigated by disabling DHCP and DHCPv6 clients, ensuring the DHCP Relay option RFC3046 is not enabled, and the local area network switch has capabilities such as DHCP-snooping to reduce risk of DHCP abuse on the target device.
- CVE-2020-11910 and CVE-2020-11911 can be mitigated by blocking unsupported ICMP messages such as ICMPv4 type 3, code 4, packets (MTU update) and ICMP type 18 code 0, packets (Address Mask Reply). These messages are not required in most end device network environments.
- CVE-2020-11913 and CVE-2020-11914 can be mitigated by ensuring use of reliable Ethernet hardware that rejects runt frames uses proper device driver protections to reject malformed Ethernet frames.
- CVE-2020-11912 can be mitigated by a firewall device or NAT device that inspects TCP SACK (Select Acknowledgement) and TCP timestamp options, rejecting any malformed packets.
This repository has been archived by the owner on May 15, 2024. It is now read-only.