What is CVE-2023-34100?

CVE-2023-34100 is a vulnerability in the Contiki-NG operating system for IoT devices that allows for a buffer overflow when reading the TCP MSS option value from an incoming packet.

How does CVE-2023-34100 affect Contiki-NG?

CVE-2023-34100 affects Contiki-NG versions up to and including 4.8, allowing for a potential exploit to execute arbitrary code on affected devices.

What is the severity of CVE-2023-34100?

CVE-2023-34100 has a severity rating of 6.5 (High).

How can I fix CVE-2023-34100?

To fix CVE-2023-34100, it is recommended to update to a patched version of Contiki-NG and implement proper input validation and bounds checking to prevent buffer overflow vulnerabilities.

Where can I find more information about CVE-2023-34100?

You can find more information about CVE-2023-34100 at the following references: [Reference 1](https://github.com/contiki-ng/contiki-ng/pull/2434/commits/cde4e98398a2f5b994972c8459342af3ba93b98e) and [Reference 2](https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-3v7c-jq9x-cmph).

Vulnerability/
CVE-2023-34100

high

7.3

CWE

125

9/6/2023

21/6/2023

CVE-2023-34100

First published: Fri Jun 09 2023(Updated: )

Contiki-NG is an open-source, cross-platform operating system for IoT devices. When reading the TCP MSS option value from an incoming packet, the Contiki-NG OS does not verify that certain buffer indices to read from are within the bounds of the IPv6 packet buffer, uip_buf. In particular, there is a 2-byte buffer read in the module os/net/ipv6/uip6.c. The buffer is indexed using 'UIP_IPTCPH_LEN + 2 + c' and 'UIP_IPTCPH_LEN + 3 + c', but the uip_buf buffer may not have enough data, resulting in a 2-byte read out of bounds. The problem has been patched in the "develop" branch of Contiki-NG, and is expected to be included in release 4.9. Users are advised to watch for the 4.9 release and to upgrade when it becomes available. There are no workarounds for this vulnerability aside from manually patching with the diff in commit `cde4e9839`.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Contiki-ng Contiki-ng	<=4.8

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-34100?
CVE-2023-34100 is a vulnerability in the Contiki-NG operating system for IoT devices that allows for a buffer overflow when reading the TCP MSS option value from an incoming packet.
How does CVE-2023-34100 affect Contiki-NG?
CVE-2023-34100 affects Contiki-NG versions up to and including 4.8, allowing for a potential exploit to execute arbitrary code on affected devices.
What is the severity of CVE-2023-34100?
CVE-2023-34100 has a severity rating of 6.5 (High).
How can I fix CVE-2023-34100?
To fix CVE-2023-34100, it is recommended to update to a patched version of Contiki-NG and implement proper input validation and bounds checking to prevent buffer overflow vulnerabilities.
Where can I find more information about CVE-2023-34100?
You can find more information about CVE-2023-34100 at the following references: [Reference 1](https://github.com/contiki-ng/contiki-ng/pull/2434/commits/cde4e98398a2f5b994972c8459342af3ba93b98e) and [Reference 2](https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-3v7c-jq9x-cmph).

collector/nvd-index
vendor/contiki-ng
canonical/contiki-ng contiki-ng
version/contiki-ng contiki-ng/4.8

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.