CVE-2023-50926

Unvalidated DIO prefix info length in RPL-Lite in Contiki-NG

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be caused by an incoming DIO message when using the RPL-Lite implementation in the Contiki-NG operating system. More specifically, the prefix information of the DIO message contains a field that specifies the length of an IPv6 address prefix. The value of this field is not validated, which means that an attacker can set a value that is longer than the maximum prefix length. Subsequently, a memcmp function call that compares different prefixes can be called with a length argument that surpasses the boundary of the array allocated for the prefix, causing an out-of-bounds read. The problem has been patched in the "develop" branch of Contiki-NG, and is expected to be included in the next release. Users are advised to update as soon as they are able to or to manually apply the changes in Contiki-NG pull request #2721.

Contiki-NG es un sistema operativo multiplataforma de código abierto para dispositivos IoT de próxima generación. Una lectura fuera de los límites puede deberse a un mensaje DIO entrante cuando se utiliza la implementación RPL-Lite en el sistema operativo Contiki-NG. Más específicamente, la información de prefijo del mensaje DIO contiene un campo que especifica la longitud de un prefijo de dirección IPv6. El valor de este campo no está validado, lo que significa que un atacante puede establecer un valor que sea mayor que la longitud máxima del prefijo. Posteriormente, se puede llamar a una función memcmp que compara diferentes prefijos con un argumento de longitud que supera el límite de la matriz asignada para el prefijo, lo que provoca una lectura fuera de los límites. El problema ha sido solucionado en la rama "desarrollo" de Contiki-NG y se espera que se incluya en la próxima versión. Se recomienda a los usuarios que actualicen tan pronto como puedan o que apliquen manualmente los cambios en la solicitud de extracción n.° 2721 de Contiki-NG.

*Credits: N/A

CVSS Scores

GitHubv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-12-15 CVE Reserved
2024-02-14 CVE Published
2024-02-15 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (2)

URL	Tag	Source
https://github.com/contiki-ng/contiki-ng/pull/2721	X_refsource_misc
https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-jp4p-fq85-jch2	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Contiki-ng Search vendor "Contiki-ng"		Contiki-ng Search vendor "Contiki-ng" for product "Contiki-ng"				<= 4.9 Search vendor "Contiki-ng" for product "Contiki-ng" and version " <= 4.9"		en		Affected