CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36053 – Out-of-bounds read in the uIP buffer module
https://notcve.org/view.php?id=CVE-2022-36053
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. The low-power IPv6 network stack of Contiki-NG has a buffer module (os/net/ipv6/uipbuf.c) that processes IPv6 extension headers in incoming data packets. As part of this processing, the function uipbuf_get_next_header casts a pointer to a uip_ext_hdr structure into the packet buffer at different offsets where extension headers are expected to be found, and then reads from this structure. Because of a lack of bounds checking, the casting can be done so that the structure extends beyond the packet's end. Hence, with a carefully crafted packet, it is possible to cause the Contiki-NG system to read data outside the packet buffer. • https://github.com/contiki-ng/contiki-ng/pull/1648 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-2j9c-7754-w4cw • CWE-125: Out-of-bounds Read •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35927 – Unverified DIO prefix info lengths in RPL-Classic in Contiki-NG
https://notcve.org/view.php?id=CVE-2022-35927
Contiki-NG is an open-source, cross-platform operating system for IoT devices. In the RPL-Classic routing protocol implementation in the Contiki-NG operating system, an incoming DODAG Information Option (DIO) control message can contain a prefix information option with a length parameter. The value of the length parameter is not validated, however, and it is possible to cause a buffer overflow when copying the prefix in the set_ip_from_prefix function. This vulnerability affects anyone running a Contiki-NG version prior to 4.7 that can receive RPL DIO messages from external parties. To obtain a patched version, users should upgrade to Contiki-NG 4.7 or later. • https://github.com/contiki-ng/contiki-ng/pull/1589 https://github.com/contiki-ng/contiki-ng/pull/1589/commits/4fffab0e632c4d01910fa957d1fd9ef321eb87d2 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-9rm9-3phh-p4wm • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35926 – Out-of-bounds read in IPv6 neighbor solicitation in Contiki-NG
https://notcve.org/view.php?id=CVE-2022-35926
Contiki-NG is an open-source, cross-platform operating system for IoT devices. Because of insufficient validation of IPv6 neighbor discovery options in Contiki-NG, attackers can send neighbor solicitation packets that trigger an out-of-bounds read. The problem exists in the module os/net/ipv6/uip-nd6.c, where memory read operations from the main packet buffer, <code>uip_buf</code>, are not checked if they go out of bounds. In particular, this problem can occur when attempting to read the 2-byte option header and the Source Link-Layer Address Option (SLLAO). This attack requires ipv6 be enabled for the network. • https://github.com/contiki-ng/contiki-ng/pull/1654 https://github.com/contiki-ng/contiki-ng/pull/1654/commits/a4597001d50a04f4b9c78f323ba731e2f979802c https://github.com/contiki-ng/contiki-ng/releases/tag/release%2Fv4.8 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-4hpq-4f53-w386 • CWE-125: Out-of-bounds Read •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32771 – Buffer overflow in contiki-ng
https://notcve.org/view.php?id=CVE-2021-32771
Contiki-NG is an open-source, cross-platform operating system for IoT devices. In affected versions it is possible to cause a buffer overflow when copying an IPv6 address prefix in the RPL-Classic implementation in Contiki-NG. In order to trigger the vulnerability, the Contiki-NG system must have joined an RPL DODAG. After that, an attacker can send a DAO packet with a Target option that contains a prefix length larger than 128 bits. The problem was fixed after the release of Contiki-NG 4.7. • https://github.com/contiki-ng/contiki-ng/pull/1615 https://github.com/contiki-ng/contiki-ng/pull/1615/commits/587ae59956e00316fd44fd7072ac3a6a07b4b20f https://github.com/contiki-ng/contiki-ng/releases/tag/release%2Fv4.8 https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-jqjf-v7v9-xp6w • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12140
https://notcve.org/view.php?id=CVE-2020-12140
A buffer overflow in os/net/mac/ble/ble-l2cap.c in the BLE stack in Contiki-NG 4.4 and earlier allows an attacker to execute arbitrary code via malicious L2CAP frames. Un desbordamiento de búfer en el archivo os/net/mac/ble/ble-l2cap.c en la pila BLE en Contiki-NG versiones 4.4 y anteriores, permite a un atacante ejecutar código arbitrario por medio de tramas L2CAP maliciosas • https://github.com/contiki-ng/contiki-ng/pull/1662 https://twitter.com/ScepticCtf • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •