CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30546 – Contiki-NG has off-by-one error in Antelope DBMS
https://notcve.org/view.php?id=CVE-2023-30546
Contiki-NG is an operating system for Internet of Things devices. An off-by-one error can be triggered in the Antelope database management system in the Contiki-NG operating system in versions 4.8 and prior. The problem exists in the Contiki File System (CFS) backend for the storage of data (file os/storage/antelope/storage-cfs.c). In the functions `storage_get_index` and `storage_put_index`, a buffer for merging two strings is allocated with one byte less than the maximum size of the merged strings, causing subsequent function calls to the cfs_open function to read from memory beyond the buffer size. The vulnerability has been patched in the "develop" branch of Contiki-NG, and is expected to be included in the next release. • https://github.com/contiki-ng/contiki-ng/pull/2425 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-257g-w39m-5jj4 • CWE-125: Out-of-bounds Read CWE-193: Off-by-one Error •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28116 – Buffer overflow in L2CAP due to misconfigured MTU
https://notcve.org/view.php?id=CVE-2023-28116
Contiki-NG is an open-source, cross-platform operating system for internet of things (IoT) devices. In versions 4.8 and prior, an out-of-bounds write can occur in the BLE L2CAP module of the Contiki-NG operating system. The network stack of Contiki-NG uses a global buffer (packetbuf) for processing of packets, with the size of PACKETBUF_SIZE. In particular, when using the BLE L2CAP module with the default configuration, the PACKETBUF_SIZE value becomes larger then the actual size of the packetbuf. When large packets are processed by the L2CAP module, a buffer overflow can therefore occur when copying the packet data to the packetbuf. • https://github.com/contiki-ng/contiki-ng/pull/2398 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-m737-4vx6-pfqp • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23609 – contiki-ng BLE-L2CAP contains Improper size validation of L2CAP frames
https://notcve.org/view.php?id=CVE-2023-23609
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to and including 4.8 are vulnerable to an out-of-bounds write that can occur in the BLE-L2CAP module. The Bluetooth Low Energy - Logical Link Control and Adaptation Layer Protocol (BLE-L2CAP) module handles fragmentation of packets up the configured MTU size. When fragments are reassembled, they are stored in a packet buffer of a configurable size, but there is no check to verify that the packet buffer is large enough to hold the reassembled packet. In Contiki-NG's default configuration, it is possible that an out-of-bounds write of up to 1152 bytes occurs. • https://github.com/contiki-ng/contiki-ng/pull/2254 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-qr4q-6h3m-h3g7 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41972 – Contiki-NG contains NULL Pointer Dereference in BLE L2CAP module
https://notcve.org/view.php?id=CVE-2022-41972
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to 4.9 contain a NULL Pointer Dereference in BLE L2CAP module. The Contiki-NG operating system for IoT devices contains a Bluetooth Low Energy stack. An attacker can inject a packet in this stack, which causes the implementation to dereference a NULL pointer and triggers undefined behavior. More specifically, while processing the L2CAP protocol, the implementation maps an incoming channel ID to its metadata structure. • https://github.com/contiki-ng/contiki-ng/pull/2253 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-24xp-g5gf-6vvm • CWE-476: NULL Pointer Dereference •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41873 – Out-of-bounds read and write in BLE L2CAP module
https://notcve.org/view.php?id=CVE-2022-41873
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to 4.9 are vulnerable to an Out-of-bounds read. While processing the L2CAP protocol, the Bluetooth Low Energy stack of Contiki-NG needs to map an incoming channel ID to its metadata structure. While looking up the corresponding channel structure in get_channel_for_cid (in os/net/mac/ble/ble-l2cap.c), a bounds check is performed on the incoming channel ID, which is meant to ensure that the channel ID does not exceed the maximum number of supported channels.However, an integer truncation issue leads to only the lowest byte of the channel ID to be checked, which leads to an incomplete out-of-bounds check. A crafted channel ID leads to out-of-bounds memory to be read and written with attacker-controlled data. • https://github.com/contiki-ng/contiki-ng/pull/2081 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-m5cj-fw8m-ffgf • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •