Informazioni sul CVE-2023-29001
Uncontrolled recursion due to insufficient validation of the IPv6 source routing header in Contiki-NG
CWE ID: CWE-674
Base Score (CVSS): 8.7
CVE: CVE-2023-29001
Descrizione: Contiki-NG is an open-source, cross-platform operating system for IoT devices. The Contiki-NG operating system processes source routing headers (SRH) in its two alternative RPL protocol implementations. The IPv6 implementation uses the results of this processing to determine whether an incoming packet should be forwarded to another host. Because of missing validation of the resulting next-hop address, an uncontrolled recursion may occur in the tcpip_ipv6_output function in the os/net/ipv6/tcpip.c module when receiving a packet with a next-hop address that is a local address. Attackers that have the possibility to send IPv6 packets to the Contiki-NG host can therefore trigger deeply nested recursive calls, which can cause a stack overflow. The vulnerability has not been patched in the current release of Contiki-NG, but is expected to be patched in the next release. The problem can be fixed by applying the patch in Contiki-NG pull request #2264. Users are advised to either apply the patch manually or to wait for the next release. There are no known workarounds for this vulnerability.
Vettore di attacco
Punteggio CVSS
Il CVSS è un sistema di valutazione che misura la gravità di una vulnerabilità informatica considerando fattori come l’impatto potenziale, la probabilità di attacco e la facilità di esecuzione.
Riassunto: .
Dettaglio del Vettore
| Metrica | Valore | Significato | Descrizione |
|---|
Riferimenti esterni
- https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-7p75-mf53-ffwm
- https://github.com/contiki-ng/contiki-ng/pull/2264
Prodotti interessati
- contiki-ng – contiki-ng
Relazioni con altri prodotti
Produttore:contiki-ng
Prodotto: contiki-ng
Anno: 2023
CWE: CWE-674
CVSS: 8.7