CVE-2021-21257

Out-of-bounds write in RPL-Classic and RPL-Lite

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Contiki-NG is an open-source, cross-platform operating system for internet of things devices. The RPL-Classic and RPL-Lite implementations in the Contiki-NG operating system versions prior to 4.6 do not validate the address pointer in the RPL source routing header This makes it possible for an attacker to cause out-of-bounds writes with packets injected into the network stack. Specifically, the problem lies in the rpl_ext_header_srh_update function in the two rpl-ext-header.c modules for RPL-Classic and RPL-Lite respectively. The addr_ptr variable is calculated using an unvalidated CMPR field value from the source routing header. An out-of-bounds write can be triggered on line 151 in os/net/routing/rpl-lite/rpl-ext-header.c and line 261 in os/net/routing/rpl-classic/rpl-ext-header.c, which contain the following memcpy call with addr_ptr as destination. The problem has been patched in Contiki-NG 4.6. Users can apply a patch out-of-band as a workaround.

Contiki-NG es un sistema operativo de código abierto y multiplataforma para dispositivos del Internet de las cosas. Las implementaciones de RPL-Classic y RPL-Lite en el sistema operativo Contiki-NG versiones anteriores a 4.6, no comprueban el puntero de dirección en el encabezado de enrutamiento de origen de RPL, esto hace posible a un atacante causar escrituras fuera de límites con paquetes inyectados en la pila de red. Específicamente, el problema radica en la función rpl_ext_header_srh_update de los dos módulos del archivo rpl-ext-header.c para RPL-Classic y RPL-Lite respectivamente. La variable addr_ptr se calcula usando un valor de campo CMPR no comprobado del encabezado de enrutamiento de origen. Una escritura fuera de límites puede ser desencadenada en la línea 151 en el archivo os/net/routing/rpl-lite/rpl-ext-header.c y en la línea 261 en el archivo os/net/routing/rpl-classic/rpl-ext-header.c, que contienen la siguiente llamada memcpy con la función addr_ptr como destino. El problema ha sido parcheado en Contiki-NG versión 4.6. Unos usuarios pueden aplicar un parche fuera de límite como solución alternativa

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-06-18 CVE Published
2024-03-03 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/contiki-ng/contiki-ng/pull/1431	2021-06-24
https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-mvc7-9p4q-c5cm	2021-06-24

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Contiki-ng Search vendor "Contiki-ng"		Contiki-ng Search vendor "Contiki-ng" for product "Contiki-ng"				< 4.6 Search vendor "Contiki-ng" for product "Contiki-ng" and version " < 4.6"		-		Affected