Lucene search

GitHub_MCVELIST:CVE-2023-24820

HistoryApr 24, 2023 - 2:59 p.m.

CVE-2023-24820 RIOT-OS vulnerable to Integer Underflow during IPHC receive

2023-04-2414:59:43

CWE-191

CWE-787

GitHub_M

www.cve.org

riot-os

internet of things

6lowpan

integer underflow

iphc

denial of service

patch

workaround

ram.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

42.0%

JSON

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device resulting in a large out of bounds write beyond the packet buffer. The write will create a hard fault exception after reaching the last page of RAM. The hard fault is not handled and the system will be stuck until reset. Thus the impact is denial of service. Version 2022.10 fixes this issue. As a workaround, apply the patch manually.

CNA Affected

[
  {
    "vendor": "RIOT-OS",
    "product": "RIOT",
    "versions": [
      {
        "version": "< 2022.10",
        "status": "affected"
      }
    ]
  }
]

References

github.com/RIOT-OS/RIOT/pull/18817/commits/2709fbd827b688fe62df2c77c316914f4a3a6d4a

github.com/RIOT-OS/RIOT/pull/18820/commits/d052e2ee166e55bbdfe4c455e65dbd7e3479ebe3

github.com/RIOT-OS/RIOT/security/advisories/GHSA-vpx8-h94p-9vrj

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

42.0%

JSON

Related for CVELIST:CVE-2023-24820