First published: Thu Sep 01 2022(Updated: )
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. The 6LoWPAN implementation in the Contiki-NG operating system (file os/net/ipv6/sicslowpan.c) contains an input function that processes incoming packets and copies them into a packet buffer. Because of a missing length check in the input function, it is possible to write outside the packet buffer's boundary. The vulnerability can be exploited by anyone who has the possibility to send 6LoWPAN packets to a Contiki-NG system. In particular, the vulnerability is exposed when sending either of two types of 6LoWPAN packets: an unfragmented packet or the first fragment of a fragmented packet. If the packet is sufficiently large, a subsequent memory copy will cause an out-of-bounds write with data supplied by the attacker.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Contiki-ng Contiki-ng | <4.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-36054 is a vulnerability in the 6LoWPAN implementation in the Contiki-NG operating system that allows an attacker to cause a denial of service or execute arbitrary code.
CVE-2022-36054 has a severity score of 8.8 (high) according to the CVSS (Common Vulnerability Scoring System).
Contiki-ng versions up to and excluding 4.8 are affected by CVE-2022-36054.
To fix CVE-2022-36054, it is recommended to update the Contiki-ng operating system to version 4.8 or later.
You can find more information about CVE-2022-36054 on the GitHub pull request page (link: https://github.com/contiki-ng/contiki-ng/pull/1648) and the GitHub security advisories page (link: https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-c36p-vhwg-244c).