Home > Vulnerability Database > CVE-2023-34101

Mend.io Vulnerability Database

CVE-2023-34101

Date: June 14, 2023

Contiki-NG is an operating system for internet of things devices. In version 4.8 and prior, when processing ICMP DAO packets in the `dao_input_storing` function, the Contiki-NG OS does not verify that the packet buffer is big enough to contain the bytes it needs before accessing them. Up to 16 bytes can be read out of bounds in the `dao_input_storing` function. An attacker can truncate an ICMP packet so that it does not contain enough data, leading to an out-of-bounds read on these lines. The problem has been patched in the "develop" branch of Contiki-NG, and is expected to be included in release 4.9. As a workaround, one can apply the changes in Contiki-NG pull request #2435 to patch the system.

Language: C

Severity Score

9.1

Related Resources (4)

Url: https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-fp66-ff6x-7w2w

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-34101

Url: https://github.com/contiki-ng/contiki-ng/pull/2435

Url: https://www.mend.io/vulnerability-database/CVE-2023-34101

Severity Score

9.1

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-34101

Date: June 14, 2023

Language: C

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?