CVE-2024-32017

Buffer overflows in RIOT

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

RIOT is a real-time multi-threading operating system that supports a range of devices that are typically 8-bit, 16-bit and 32-bit microcontrollers. The size check in the `gcoap_dns_server_proxy_get()` function contains a small typo that may lead to a buffer overflow in the subsequent `strcpy()`. In detail, the length of the `_uri` string is checked instead of the length of the `_proxy` string. The `_gcoap_forward_proxy_copy_options()` function does not implement an explicit size check before copying data to the `cep->req_etag` buffer that is `COAP_ETAG_LENGTH_MAX` bytes long. If an attacker can craft input so that `optlen` becomes larger than `COAP_ETAG_LENGTH_MAX`, they can cause a buffer overflow. If the input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution. This issue has yet to be patched. Users are advised to add manual bounds checking.

RIOT es un sistema operativo multiproceso en tiempo real que admite una variedad de dispositivos que suelen ser microcontroladores de 8, 16 y 32 bits. La verificación de tamaño en la función `gcoap_dns_server_proxy_get()` contiene un pequeño error tipográfico que puede provocar un desbordamiento del búfer en el `strcpy()` posterior. En detalle, se verifica la longitud de la cadena `_uri` en lugar de la longitud de la cadena `_proxy`. La función `_gcoap_forward_proxy_copy_options()` no implementa una verificación de tamaño explícita antes de copiar datos al buffer `cep->req_etag` que tiene una longitud de bytes `COAP_ETAG_LENGTH_MAX`. Si un atacante puede crear una entrada para que "optlen" sea más grande que "COAP_ETAG_LENGTH_MAX", puede provocar un desbordamiento del búfer. Si la entrada anterior está controlada por un atacante y cruza un límite de seguridad, el impacto de las vulnerabilidades de desbordamiento del búfer podría variar desde denegación de servicio hasta ejecución de código arbitrario. Este problema aún no se ha solucionado. Se recomienda a los usuarios que agreguen la verificación manual de los límites.

RIOT versions 2024.01 and below suffers from multiple buffer overflows, ineffective size checks, and out-of-bounds memory access vulnerabilities.

*Credits: N/A

CVSS Scores

GitHubv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-09 CVE Reserved
2024-05-01 CVE Published
2024-05-01 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CAPEC

References (5)

URL	Tag	Source
http://seclists.org/fulldisclosure/2024/May/7
http://www.openwall.com/lists/oss-security/2024/05/07/3
https://github.com/RIOT-OS/RIOT/blob/master/sys/net/application_layer/gcoap/dns.c#L319-L325	X_refsource_misc
https://github.com/RIOT-OS/RIOT/blob/master/sys/net/application_layer/gcoap/forward_proxy.c#L352	X_refsource_misc
https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-v97j-w9m6-c4h3	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
-		-				-		-		-