First published: Fri Jun 18 2021(Updated: )
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be triggered by 6LoWPAN packets sent to devices running Contiki-NG 4.6 and prior. The IPv6 header decompression function (<code>uncompress_hdr_iphc</code>) does not perform proper boundary checks when reading from the packet buffer. Hence, it is possible to construct a compressed 6LoWPAN packet that will read more bytes than what is available from the packet buffer. As of time of publication, there is not a release with a patch available. Users can apply the patch for this vulnerability out-of-band as a workaround.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Contiki-ng Contiki-ng | <=4.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-21410 is a vulnerability in Contiki-NG, an open-source operating system for IoT devices, that allows an out-of-bounds read to be triggered by 6LoWPAN packets.
The severity of CVE-2021-21410 is critical, with a severity value of 9.1.
CVE-2021-21410 affects Contiki-NG versions 4.6 and prior, allowing an out-of-bounds read to be triggered by 6LoWPAN packets.
CVE-2021-21410 can be exploited by sending malicious 6LoWPAN packets to devices running Contiki-NG versions 4.6 and prior.
Yes, a fix for CVE-2021-21410 is available. It is recommended to update Contiki-NG to a version that is not affected by this vulnerability.