// For flags

CVE-2023-50927

Insufficient boundary checks for DIO and DAO messages in RPL-Lite in Contiki-NG

Severity Score

8.6
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An attacker can trigger out-of-bounds reads in the RPL-Lite implementation of the RPL protocol in the Contiki-NG operating system. This vulnerability is caused by insufficient control of the lengths for DIO and DAO messages, in particular when they contain RPL sub-option headers. The problem has been patched in Contiki-NG 4.9. Users are advised to upgrade. Users unable to upgrade should manually apply the code changes in PR #2484.

Contiki-NG es un sistema operativo multiplataforma de código abierto para dispositivos IoT de próxima generación. Un atacante puede activar lecturas fuera de los límites en la implementación RPL-Lite del protocolo RPL en el sistema operativo Contiki-NG. Esta vulnerabilidad se debe a un control insuficiente de la longitud de los mensajes DIO y DAO, en particular cuando contienen encabezados de subopciones RPL. El problema ha sido solucionado en Contiki-NG 4.9. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben aplicar manualmente los cambios de código en PR #2484.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-12-15 CVE Reserved
  • 2024-02-14 CVE Published
  • 2024-08-02 CVE Updated
  • 2025-04-15 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-125: Out-of-bounds Read
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Contiki-ng
Search vendor "Contiki-ng"
 Contiki-ng
Search vendor "Contiki-ng" for product "Contiki-ng"
 < 4.9
Search vendor "Contiki-ng" for product "Contiki-ng" and version " < 4.9"
en
Affected