Details of VAR-202209-0018

ID

VAR-202209-0018

CVE

CVE-2022-36054

TITLE

Contiki-NG Out-of-bounds write vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-016126

DESCRIPTION

Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. The 6LoWPAN implementation in the Contiki-NG operating system (file os/net/ipv6/sicslowpan.c) contains an input function that processes incoming packets and copies them into a packet buffer. Because of a missing length check in the input function, it is possible to write outside the packet buffer's boundary. The vulnerability can be exploited by anyone who has the possibility to send 6LoWPAN packets to a Contiki-NG system. In particular, the vulnerability is exposed when sending either of two types of 6LoWPAN packets: an unfragmented packet or the first fragment of a fragmented packet. If the packet is sufficiently large, a subsequent memory copy will cause an out-of-bounds write with data supplied by the attacker. Contiki-NG Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 2.25

sources: NVD: CVE-2022-36054 // JVNDB: JVNDB-2022-016126 // CNNVD: CNNVD-202209-018 // VULMON: CVE-2022-36054

AFFECTED PRODUCTS

vendor:	contiki ng	model:	contiki-ng	scope:	lt	version:	4.8	Trust: 1.0
vendor:	contiki ng	model:	contiki-ng	scope:	eq	version:	-	Trust: 0.8
vendor:	contiki ng	model:	contiki-ng	scope:	eq	version:	4.8	Trust: 0.8
vendor:	contiki ng	model:	contiki-ng	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-016126 // NVD: CVE-2022-36054

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-36054
value:	HIGH
Trust: 1.0
security-advisories@github.com:	CVE-2022-36054
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-36054
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202209-018
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-36054
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
security-advisories@github.com:	CVE-2022-36054
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.6
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2022-36054
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-016126 // CNNVD: CNNVD-202209-018 // NVD: CVE-2022-36054 // NVD: CVE-2022-36054

PROBLEMTYPE DATA

problemtype:	CWE-787	Trust: 1.0
problemtype:	Out-of-bounds writing (CWE-787) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-016126 // NVD: CVE-2022-36054

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202209-018

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202209-018

PATCH

title:

Contiki-NG Buffer error vulnerability fix

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=206824

Trust: 0.6

sources: CNNVD: CNNVD-202209-018

EXTERNAL IDS

db:	NVD	id:	CVE-2022-36054	Trust: 3.3
db:	JVNDB	id:	JVNDB-2022-016126	Trust: 0.8
db:	CNNVD	id:	CNNVD-202209-018	Trust: 0.6
db:	VULMON	id:	CVE-2022-36054	Trust: 0.1

sources: VULMON: CVE-2022-36054 // JVNDB: JVNDB-2022-016126 // CNNVD: CNNVD-202209-018 // NVD: CVE-2022-36054

REFERENCES

url:	https://github.com/contiki-ng/contiki-ng/pull/1648	Trust: 2.5
url:	https://github.com/contiki-ng/contiki-ng/security/advisories/ghsa-c36p-vhwg-244c	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-36054	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-36054/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/787.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2022-36054 // JVNDB: JVNDB-2022-016126 // CNNVD: CNNVD-202209-018 // NVD: CVE-2022-36054

SOURCES

db:	VULMON	id:	CVE-2022-36054
db:	JVNDB	id:	JVNDB-2022-016126
db:	CNNVD	id:	CNNVD-202209-018
db:	NVD	id:	CVE-2022-36054

LAST UPDATE DATE

2024-08-14T14:31:00.361000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2022-36054	date:	2022-09-01T00:00:00
db:	JVNDB	id:	JVNDB-2022-016126	date:	2023-10-02T08:10:00
db:	CNNVD	id:	CNNVD-202209-018	date:	2022-09-08T00:00:00
db:	NVD	id:	CVE-2022-36054	date:	2022-09-07T15:08:05.903

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2022-36054	date:	2022-09-01T00:00:00
db:	JVNDB	id:	JVNDB-2022-016126	date:	2023-10-02T00:00:00
db:	CNNVD	id:	CNNVD-202209-018	date:	2022-09-01T00:00:00
db:	NVD	id:	CVE-2022-36054	date:	2022-09-01T12:15:10.387