Lucene search

GitHub_MCVE-2023-24817

HistoryMay 30, 2023 - 4:15 p.m.

CVE-2023-24817

2023-05-3016:15:09

CWE-119

CWE-787

CWE-191

GitHub_M

web.nvd.nist.gov

cve-2023-24817

riot-os

iot

6lowpan

network stack

integer underflow

denial of service

nvd

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

38.1%

JSON

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2023.04, an attacker can send a crafted frame to the device resulting in an integer underflow and out of bounds access in the packet buffer. Triggering the access at the right time will corrupt other packets or the allocator metadata. Corrupting a pointer will lead to denial of service. This issue is fixed in version 2023.04. As a workaround, disable SRH in the network stack.

Affected configurations

Nvd

Vulners

Node

riot-osriotRange<2023.04

VendorProductVersionCPE
riot-osriot*cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
riot-os	riot	*	cpe:2.3:o:riot-os:riot::::::::

CNA Affected

[
  {
    "vendor": "RIOT-OS",
    "product": "RIOT",
    "versions": [
      {
        "version": "< 2023.04",
        "status": "affected"
      }
    ]
  }
]

References

github.com/RIOT-OS/RIOT/commit/34dc1757f5621be48e226cfebb2f4c63505b5360

github.com/RIOT-OS/RIOT/security/advisories/GHSA-xjgw-7638-29g5

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

38.1%

JSON

Related for CVE-2023-24817