Sign-up

ID

VAR-202303-1689


CVE

CVE-2023-28116


TITLE

Contiki-NG  Out-of-bounds write vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-005715

DESCRIPTION

Contiki-NG is an open-source, cross-platform operating system for internet of things (IoT) devices. In versions 4.8 and prior, an out-of-bounds write can occur in the BLE L2CAP module of the Contiki-NG operating system. The network stack of Contiki-NG uses a global buffer (packetbuf) for processing of packets, with the size of PACKETBUF_SIZE. In particular, when using the BLE L2CAP module with the default configuration, the PACKETBUF_SIZE value becomes larger then the actual size of the packetbuf. When large packets are processed by the L2CAP module, a buffer overflow can therefore occur when copying the packet data to the packetbuf. The vulnerability has been patched in the "develop" branch of Contiki-NG, and will be included in release 4.9. The problem can be worked around by applying the patch manually. Contiki-NG Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. There is a security vulnerability in Contiki-NG 4.8 and earlier versions

Trust: 2.25

sources: NVD: CVE-2023-28116 // JVNDB: JVNDB-2023-005715 // CNNVD: CNNVD-202303-1441 // VULMON: CVE-2023-28116

AFFECTED PRODUCTS

vendor:contiki ngmodel:contiki-ngscope:lteversion:4.8

Trust: 1.0

vendor:contiki ngmodel:contiki-ngscope:lteversion:4.8 and earlier

Trust: 0.8

vendor:contiki ngmodel:contiki-ngscope: - version: -

Trust: 0.8

vendor:contiki ngmodel:contiki-ngscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2023-005715 // NVD: CVE-2023-28116

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2023-28116
value: CRITICAL

Trust: 1.8

security-advisories@github.com: CVE-2023-28116
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202303-1441
value: CRITICAL

Trust: 0.6

NVD:
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

security-advisories@github.com:
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2023-28116
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-005715 // NVD: CVE-2023-28116 // NVD: CVE-2023-28116 // CNNVD: CNNVD-202303-1441

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.0

problemtype:Out-of-bounds writing (CWE-787) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-005715 // NVD: CVE-2023-28116

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202303-1441

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202303-1441

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2023-28116

PATCH
title:Contiki-NG Buffer error vulnerability fixurl:http://123.124.177.30/web/xxk/bdxqbyid.tag?id=230134
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202303-1441

EXTERNAL IDS
db:NVDid:CVE-2023-28116
Trust: 3.3
db:JVNDBid:JVNDB-2023-005715
Trust: 0.8
db:CNNVDid:CNNVD-202303-1441
Trust: 0.6
db:VULMONid:CVE-2023-28116
Trust: 0.1
sources:
            
            
            VULMON: CVE-2023-28116 // 
            
            
            
            JVNDB: JVNDB-2023-005715 // 
            
            
            
            NVD: CVE-2023-28116 // 
            
            
            
            CNNVD: CNNVD-202303-1441

REFERENCES
url:https://github.com/contiki-ng/contiki-ng/pull/2398
Trust: 2.5
url:https://github.com/contiki-ng/contiki-ng/security/advisories/ghsa-m737-4vx6-pfqp
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2023-28116
Trust: 0.8
url:https://cxsecurity.com/cveshow/cve-2023-28116/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/120.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULMON: CVE-2023-28116 // 
            
            
            
            JVNDB: JVNDB-2023-005715 // 
            
            
            
            NVD: CVE-2023-28116 // 
            
            
            
            CNNVD: CNNVD-202303-1441

SOURCES
db:VULMONid:CVE-2023-28116
db:JVNDBid:JVNDB-2023-005715
db:NVDid:CVE-2023-28116
db:CNNVDid:CNNVD-202303-1441

LAST UPDATE DATE
2023-12-18T13:41:34.758000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2023-28116date:2023-03-20T00:00:00
db:JVNDBid:JVNDB-2023-005715date:2023-11-09T06:36:00
db:NVDid:CVE-2023-28116date:2023-11-07T04:10:25.093
db:CNNVDid:CNNVD-202303-1441date:2023-03-28T00:00:00

SOURCES RELEASE DATE
db:VULMONid:CVE-2023-28116date:2023-03-17T00:00:00
db:JVNDBid:JVNDB-2023-005715date:2023-11-09T00:00:00
db:NVDid:CVE-2023-28116date:2023-03-17T22:15:11.547
db:CNNVDid:CNNVD-202303-1441date:2023-03-17T00:00:00