What is CVE-2023-37459?

CVE-2023-37459 is a vulnerability in the Contiki-NG operating system for internet-of-things devices, where the implementation does not verify a full TCP header before starting the periodic TCP timer for TCP packets with the SYN flag set.

What is the severity of CVE-2023-37459?

The severity of CVE-2023-37459 is medium with a CVSS score of 5.3.

How does CVE-2023-37459 affect Contiki-NG?

CVE-2023-37459 affects Contiki-NG versions 4.9 and prior.

How can I fix CVE-2023-37459?

To fix CVE-2023-37459, update to a version of Contiki-NG that is newer than 4.9.

CWE-125 is a Common Weakness Enumeration category for out-of-bounds read, which is the underlying weakness associated with CVE-2023-37459.

Vulnerability/
CVE-2023-37459

medium

5.3

CWE

125

15/9/2023

25/9/2024

CVE-2023-37459: Out-of-bounds read when processing a received IPv6 packet

First published: Fri Sep 15 2023(Updated: )

Contiki-NG is an operating system for internet-of-things devices. In versions 4.9 and prior, when a packet is received, the Contiki-NG network stack attempts to start the periodic TCP timer if it is a TCP packet with the SYN flag set. But the implementation does not first verify that a full TCP header has been received. Specifically, the implementation attempts to access the flags field from the TCP buffer in the following conditional expression in the `check_for_tcp_syn` function. For this reason, an attacker can inject a truncated TCP packet, which will lead to an out-of-bound read from the packet buffer. As of time of publication, a patched version is not available. As a workaround, one can apply the changes in Contiki-NG pull request #2510 to patch the system.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Contiki-ng Contiki-ng	<=4.9

Remedy

https://github.com/contiki-ng/contiki-ng/pull/2510

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-37459?
CVE-2023-37459 is a vulnerability in the Contiki-NG operating system for internet-of-things devices, where the implementation does not verify a full TCP header before starting the periodic TCP timer for TCP packets with the SYN flag set.
What is the severity of CVE-2023-37459?
The severity of CVE-2023-37459 is medium with a CVSS score of 5.3.
How does CVE-2023-37459 affect Contiki-NG?
CVE-2023-37459 affects Contiki-NG versions 4.9 and prior.
How can I fix CVE-2023-37459?
To fix CVE-2023-37459, update to a version of Contiki-NG that is newer than 4.9.
What is CWE-125?
CWE-125 is a Common Weakness Enumeration category for out-of-bounds read, which is the underlying weakness associated with CVE-2023-37459.

collector/nvd-api
collector/nvd-index
agent/author
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/last-modified-date
agent/title
agent/severity
agent/remedy
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/contiki-ng
canonical/contiki-ng contiki-ng
version/contiki-ng contiki-ng/4.9

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.