CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31129 – Contiki-NG missing NULL pointer check in IPv6 neighbor discovery
https://notcve.org/view.php?id=CVE-2023-31129
The Contiki-NG operating system versions 4.8 and prior can be triggered to dereference a NULL pointer in the message handling code for IPv6 router solicitiations. Contiki-NG contains an implementation of IPv6 Neighbor Discovery (ND) in the module `os/net/ipv6/uip-nd6.c`. The ND protocol includes a message type called Router Solicitation (RS), which is used to locate routers and update their address information via the SLLAO (Source Link-Layer Address Option). If the indicated source address changes, a given neighbor entry is set to the STALE state. The message handler does not check for RS messages with an SLLAO that indicates a link-layer address change that a neighbor entry can actually be created for the indicated address. The resulting pointer is used without a check, leading to the dereference of a NULL pointer of type `uip_ds6_nbr_t`. The problem has been patched in the `develop` branch of Contiki-NG, and will be included in the upcoming 4.9 release. • https://github.com/contiki-ng/contiki-ng/pull/2271 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-x29r-5qjg-75mq • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30546 – Contiki-NG has off-by-one error in Antelope DBMS
https://notcve.org/view.php?id=CVE-2023-30546
Contiki-NG is an operating system for Internet of Things devices. An off-by-one error can be triggered in the Antelope database management system in the Contiki-NG operating system in versions 4.8 and prior. The problem exists in the Contiki File System (CFS) backend for the storage of data (file os/storage/antelope/storage-cfs.c). In the functions `storage_get_index` and `storage_put_index`, a buffer for merging two strings is allocated with one byte less than the maximum size of the merged strings, causing subsequent function calls to the cfs_open function to read from memory beyond the buffer size. The vulnerability has been patched in the "develop" branch of Contiki-NG, and is expected to be included in the next release. • https://github.com/contiki-ng/contiki-ng/pull/2425 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-257g-w39m-5jj4 • CWE-125: Out-of-bounds Read CWE-193: Off-by-one Error •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28116 – Buffer overflow in L2CAP due to misconfigured MTU
https://notcve.org/view.php?id=CVE-2023-28116
Contiki-NG is an open-source, cross-platform operating system for internet of things (IoT) devices. In versions 4.8 and prior, an out-of-bounds write can occur in the BLE L2CAP module of the Contiki-NG operating system. The network stack of Contiki-NG uses a global buffer (packetbuf) for processing of packets, with the size of PACKETBUF_SIZE. In particular, when using the BLE L2CAP module with the default configuration, the PACKETBUF_SIZE value becomes larger then the actual size of the packetbuf. When large packets are processed by the L2CAP module, a buffer overflow can therefore occur when copying the packet data to the packetbuf. • https://github.com/contiki-ng/contiki-ng/pull/2398 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-m737-4vx6-pfqp • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23609 – contiki-ng BLE-L2CAP contains Improper size validation of L2CAP frames
https://notcve.org/view.php?id=CVE-2023-23609
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to and including 4.8 are vulnerable to an out-of-bounds write that can occur in the BLE-L2CAP module. The Bluetooth Low Energy - Logical Link Control and Adaptation Layer Protocol (BLE-L2CAP) module handles fragmentation of packets up the configured MTU size. When fragments are reassembled, they are stored in a packet buffer of a configurable size, but there is no check to verify that the packet buffer is large enough to hold the reassembled packet. In Contiki-NG's default configuration, it is possible that an out-of-bounds write of up to 1152 bytes occurs. • https://github.com/contiki-ng/contiki-ng/pull/2254 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-qr4q-6h3m-h3g7 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41972 – Contiki-NG contains NULL Pointer Dereference in BLE L2CAP module
https://notcve.org/view.php?id=CVE-2022-41972
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to 4.9 contain a NULL Pointer Dereference in BLE L2CAP module. The Contiki-NG operating system for IoT devices contains a Bluetooth Low Energy stack. An attacker can inject a packet in this stack, which causes the implementation to dereference a NULL pointer and triggers undefined behavior. More specifically, while processing the L2CAP protocol, the implementation maps an incoming channel ID to its metadata structure. • https://github.com/contiki-ng/contiki-ng/pull/2253 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-24xp-g5gf-6vvm • CWE-476: NULL Pointer Dereference •