CVE-2022-41873

Out-of-bounds read and write in BLE L2CAP module

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to 4.9 are vulnerable to an Out-of-bounds read. While processing the L2CAP protocol, the Bluetooth Low Energy stack of Contiki-NG needs to map an incoming channel ID to its metadata structure. While looking up the corresponding channel structure in get_channel_for_cid (in os/net/mac/ble/ble-l2cap.c), a bounds check is performed on the incoming channel ID, which is meant to ensure that the channel ID does not exceed the maximum number of supported channels.However, an integer truncation issue leads to only the lowest byte of the channel ID to be checked, which leads to an incomplete out-of-bounds check. A crafted channel ID leads to out-of-bounds memory to be read and written with attacker-controlled data. The vulnerability has been patched in the "develop" branch of Contiki-NG, and will be included in release 4.9. As a workaround, Users can apply the patch in Contiki-NG pull request 2081 on GitHub.

Contiki-NG es un sistema operativo multiplataforma de código abierto para dispositivos Next-Generation IoT. Las versiones anteriores a la 4.9 son vulnerables a una lectura fuera de los límites. Mientras procesa el protocolo L2CAP, la pila Bluetooth Low Energy de Contiki-NG necesita asignar un ID de canal entrante a su estructura de metadatos. Mientras se busca la estructura del canal correspondiente en get_channel_for_cid (en os/net/mac/ble/ble-l2cap.c), se realiza una verificación de los límites en el ID del canal entrante, cuyo objetivo es garantizar que el ID del canal no exceda el número máximo de canales admitidos. Sin embargo, un problema de truncamiento de enteros hace que solo se verifique el byte más bajo del ID del canal, lo que genera una verificación fuera de los límites incompleta. Una ID de canal manipulada conduce a una memoria fuera de los límites para leer y escribir con datos controlados por el atacante. La vulnerabilidad ha sido parcheada en la rama "develop" de Contiki-NG y se incluirá en la versión 4.9. Como workaround, los usuarios pueden aplicar el parche en la solicitud de extracción 2081 de Contiki-NG en GitHub.

*Credits: N/A

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-30 CVE Reserved
2022-11-11 CVE Published
2024-06-03 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read
CWE-787: Out-of-bounds Write

CAPEC

References (2)

URL	Tag	Source
https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-m5cj-fw8m-ffgf	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/contiki-ng/contiki-ng/pull/2081	2022-11-18

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Contiki-ng Search vendor "Contiki-ng"		Contiki-ng Search vendor "Contiki-ng" for product "Contiki-ng"				< 4.9 Search vendor "Contiki-ng" for product "Contiki-ng" and version " < 4.9"		-		Affected