Details of VAR-202306-1186

ID

VAR-202306-1186

CVE

CVE-2023-34101

TITLE

Contiki-NG Out-of-bounds read vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-008578

DESCRIPTION

Contiki-NG is an operating system for internet of things devices. In version 4.8 and prior, when processing ICMP DAO packets in the `dao_input_storing` function, the Contiki-NG OS does not verify that the packet buffer is big enough to contain the bytes it needs before accessing them. Up to 16 bytes can be read out of bounds in the `dao_input_storing` function. An attacker can truncate an ICMP packet so that it does not contain enough data, leading to an out-of-bounds read on these lines. The problem has been patched in the "develop" branch of Contiki-NG, and is expected to be included in release 4.9. As a workaround, one can apply the changes in Contiki-NG pull request #2435 to patch the system. Contiki-NG Exists in an out-of-bounds read vulnerability.Information is obtained and service operation is interrupted (DoS) It may be in a state. Contiki-NG 4.8 and earlier versions have a buffer error vulnerability, which is caused by an out-of-bounds read problem when processing ICMP DAO input

Trust: 2.25

sources: NVD: CVE-2023-34101 // JVNDB: JVNDB-2023-008578 // CNNVD: CNNVD-202306-1126 // VULMON: CVE-2023-34101

AFFECTED PRODUCTS

vendor:	contiki ng	model:	contiki-ng	scope:	lte	version:	4.8	Trust: 1.0
vendor:	contiki ng	model:	contiki-ng	scope:	-	version:	-	Trust: 0.8
vendor:	contiki ng	model:	contiki-ng	scope:	lte	version:	4.8 and earlier	Trust: 0.8
vendor:	contiki ng	model:	contiki-ng	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-008578 // NVD: CVE-2023-34101

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-34101
value:	CRITICAL
Trust: 1.0
security-advisories@github.com:	CVE-2023-34101
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-34101
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202306-1126
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2023-34101
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0
security-advisories@github.com:	CVE-2023-34101
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	3.4
version:	3.1
Trust: 1.0
NVD:	CVE-2023-34101
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-008578 // CNNVD: CNNVD-202306-1126 // NVD: CVE-2023-34101 // NVD: CVE-2023-34101

PROBLEMTYPE DATA

problemtype:	CWE-125	Trust: 1.0
problemtype:	Out-of-bounds read (CWE-125) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-008578 // NVD: CVE-2023-34101

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202306-1126

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202306-1126

PATCH

title:

Contiki-NG Buffer error vulnerability fix

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=242566

Trust: 0.6

sources: CNNVD: CNNVD-202306-1126

EXTERNAL IDS

db:	NVD	id:	CVE-2023-34101	Trust: 3.3
db:	JVNDB	id:	JVNDB-2023-008578	Trust: 0.8
db:	CNNVD	id:	CNNVD-202306-1126	Trust: 0.6
db:	VULMON	id:	CVE-2023-34101	Trust: 0.1

sources: VULMON: CVE-2023-34101 // JVNDB: JVNDB-2023-008578 // CNNVD: CNNVD-202306-1126 // NVD: CVE-2023-34101

REFERENCES

url:	https://github.com/contiki-ng/contiki-ng/pull/2435	Trust: 2.5
url:	https://github.com/contiki-ng/contiki-ng/security/advisories/ghsa-fp66-ff6x-7w2w	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2023-34101	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/125.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2023-34101 // JVNDB: JVNDB-2023-008578 // CNNVD: CNNVD-202306-1126 // NVD: CVE-2023-34101

SOURCES

db:	VULMON	id:	CVE-2023-34101
db:	JVNDB	id:	JVNDB-2023-008578
db:	CNNVD	id:	CNNVD-202306-1126
db:	NVD	id:	CVE-2023-34101

LAST UPDATE DATE

2024-08-14T15:41:43.195000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-34101	date:	2023-06-14T00:00:00
db:	JVNDB	id:	JVNDB-2023-008578	date:	2023-12-01T08:14:00
db:	CNNVD	id:	CNNVD-202306-1126	date:	2023-06-25T00:00:00
db:	NVD	id:	CVE-2023-34101	date:	2023-06-23T18:18:09.143

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-34101	date:	2023-06-14T00:00:00
db:	JVNDB	id:	JVNDB-2023-008578	date:	2023-12-01T00:00:00
db:	CNNVD	id:	CNNVD-202306-1126	date:	2023-06-14T00:00:00
db:	NVD	id:	CVE-2023-34101	date:	2023-06-14T15:15:10.073