Lucene search

[email protected]NVD:CVE-2023-24817

HistoryMay 30, 2023 - 4:15 p.m.

CVE-2023-24817

2023-05-3016:15:09

CWE-119

CWE-191

CWE-787

[email protected]

web.nvd.nist.gov

riot-os

iot devices

network stack

6lowpan

denial of service

integer underflow

out of bounds access

packet buffer

allocator metadata

workaround

disable srh

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.1%

JSON

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2023.04, an attacker can send a crafted frame to the device resulting in an integer underflow and out of bounds access in the packet buffer. Triggering the access at the right time will corrupt other packets or the allocator metadata. Corrupting a pointer will lead to denial of service. This issue is fixed in version 2023.04. As a workaround, disable SRH in the network stack.

Affected configurations

Nvd

Node

riot-osriotRange<2023.04

VendorProductVersionCPE
riot-osriot*cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
riot-os	riot	*	cpe:2.3:o:riot-os:riot::::::::

References

github.com/RIOT-OS/RIOT/commit/34dc1757f5621be48e226cfebb2f4c63505b5360

github.com/RIOT-OS/RIOT/security/advisories/GHSA-xjgw-7638-29g5

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.1%

JSON

Related for NVD:CVE-2023-24817

cvelist1 prion1 cve1