ID

VAR-202303-1689


CVE

CVE-2023-28116


TITLE

Contiki-NG  Out-of-bounds write vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-005715

DESCRIPTION

Contiki-NG is an open-source, cross-platform operating system for internet of things (IoT) devices. In versions 4.8 and prior, an out-of-bounds write can occur in the BLE L2CAP module of the Contiki-NG operating system. The network stack of Contiki-NG uses a global buffer (packetbuf) for processing of packets, with the size of PACKETBUF_SIZE. In particular, when using the BLE L2CAP module with the default configuration, the PACKETBUF_SIZE value becomes larger then the actual size of the packetbuf. When large packets are processed by the L2CAP module, a buffer overflow can therefore occur when copying the packet data to the packetbuf. The vulnerability has been patched in the "develop" branch of Contiki-NG, and will be included in release 4.9. The problem can be worked around by applying the patch manually. Contiki-NG Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. There is a security vulnerability in Contiki-NG 4.8 and earlier versions

Trust: 2.25

sources: NVD: CVE-2023-28116 // JVNDB: JVNDB-2023-005715 // CNNVD: CNNVD-202303-1441 // VULMON: CVE-2023-28116

AFFECTED PRODUCTS

vendor:contiki ngmodel:contiki-ngscope:lteversion:4.8

Trust: 1.0

vendor:contiki ngmodel:contiki-ngscope:lteversion:4.8 and earlier

Trust: 0.8

vendor:contiki ngmodel:contiki-ngscope: - version: -

Trust: 0.8

vendor:contiki ngmodel:contiki-ngscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2023-005715 // NVD: CVE-2023-28116

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-28116
value: CRITICAL

Trust: 1.0

security-advisories@github.com: CVE-2023-28116
value: HIGH

Trust: 1.0

NVD: CVE-2023-28116
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202303-1441
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2023-28116
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

security-advisories@github.com: CVE-2023-28116
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2023-28116
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-005715 // CNNVD: CNNVD-202303-1441 // NVD: CVE-2023-28116 // NVD: CVE-2023-28116

PROBLEMTYPE DATA

problemtype:CWE-120

Trust: 1.0

problemtype:CWE-787

Trust: 1.0

problemtype:Out-of-bounds writing (CWE-787) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-005715 // NVD: CVE-2023-28116

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202303-1441

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202303-1441

PATCH

title:Contiki-NG Buffer error vulnerability fixurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=230134

Trust: 0.6

sources: CNNVD: CNNVD-202303-1441

EXTERNAL IDS

db:NVDid:CVE-2023-28116

Trust: 3.3

db:JVNDBid:JVNDB-2023-005715

Trust: 0.8

db:CNNVDid:CNNVD-202303-1441

Trust: 0.6

db:VULMONid:CVE-2023-28116

Trust: 0.1

sources: VULMON: CVE-2023-28116 // JVNDB: JVNDB-2023-005715 // CNNVD: CNNVD-202303-1441 // NVD: CVE-2023-28116

REFERENCES

url:https://github.com/contiki-ng/contiki-ng/pull/2398

Trust: 2.5

url:https://github.com/contiki-ng/contiki-ng/security/advisories/ghsa-m737-4vx6-pfqp

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2023-28116

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2023-28116/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/120.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2023-28116 // JVNDB: JVNDB-2023-005715 // CNNVD: CNNVD-202303-1441 // NVD: CVE-2023-28116

SOURCES

db:VULMONid:CVE-2023-28116
db:JVNDBid:JVNDB-2023-005715
db:CNNVDid:CNNVD-202303-1441
db:NVDid:CVE-2023-28116

LAST UPDATE DATE

2024-08-14T14:24:10.293000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2023-28116date:2023-03-20T00:00:00
db:JVNDBid:JVNDB-2023-005715date:2023-11-09T06:36:00
db:CNNVDid:CNNVD-202303-1441date:2023-03-28T00:00:00
db:NVDid:CVE-2023-28116date:2023-11-07T04:10:25.093

SOURCES RELEASE DATE

db:VULMONid:CVE-2023-28116date:2023-03-17T00:00:00
db:JVNDBid:JVNDB-2023-005715date:2023-11-09T00:00:00
db:CNNVDid:CNNVD-202303-1441date:2023-03-17T00:00:00
db:NVDid:CVE-2023-28116date:2023-03-17T22:15:11.547