CVE-2023-29001
Vulnerability Scoring
Attack Complexity Details
- Attack Complexity: Analysis in progress
- Attack Vector: Analysis in progress
- Privileges Required: Analysis in progress
CIA Impact Definition
- Confidentiality:
- Integrity:
- Availability:
CVE-2023-29001 Vulnerability Summary
Contiki-NG is an open-source, cross-platform operating system for IoT devices. The Contiki-NG operating system processes source routing headers (SRH) in its two alternative RPL protocol implementations. The IPv6 implementation uses the results of this processing to determine whether an incoming packet should be forwarded to another host. Because of missing validation of the resulting next-hop address, an uncontrolled recursion may occur in the tcpip_ipv6_output function in the os/net/ipv6/tcpip.c module when receiving a packet with a next-hop address that is a local address. Attackers that have the possibility to send IPv6 packets to the Contiki-NG host can therefore trigger deeply nested recursive calls, which can cause a stack overflow. The vulnerability has not been patched in the current release of Contiki-NG, but is expected to be patched in the next release. The problem can be fixed by applying the patch in Contiki-NG pull request #2264. Users are advised to either apply the patch manually or to wait for the next release. There are no known workarounds for this vulnerability.
Need help fixing CVEs? Check out our Step-by-Step Guide on How to Fix CVEs.
Access Complexity Graph for CVE-2023-29001
Impact Analysis for CVE-2023-29001
CVE-2023-29001: Detailed Information and External References
EPSS
0.00043
EPSS %
0.10929
References
0.00043
- https://github.com/contiki-ng/contiki-ng/pull/2264
- https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-7p75-mf53-ffwm
CWE
CWE-674
CAPEC
0.00043
- Serialized Data with Nested Payloads: Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
- Oversized Serialized Data Payloads: An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.
Protect Your Infrastructure: Combat Critical CVE Threats
Stay updated with real-time CVE vulnerabilities and take action to secure your systems. Enhance your cybersecurity posture with the latest threat intelligence and mitigation techniques. Develop the skills necessary to defend against CVEs and secure critical infrastructures. Join the top cybersecurity professionals safeguarding today's infrastructures.