Diff-Fusion

**Name of the Vulnerable Software and Affected Versions** Contiki-NG (affected versions not specified) **Description** The Contiki-NG operating system has an issue with its IPv6 implementation, specifically in the processing of source routing headers (SRH) in its two alternative RPL protocol implementations. This can lead to uncontrolled recursion in the `tcpip ipv6 output` function when receiving a packet with a next-hop address that is a local address, potentially causing a stack overflow. Attackers who can send IPv6 packets to the Contiki-NG host can trigger this issue. There are no known workarounds for this issue. **Recommendations** To resolve the issue, users are advised to either apply the patch manually from Contiki-NG pull request #2264 or wait for the next release of Contiki-NG, which is expected to include the fix. As a temporary workaround, consider restricting access to the `tcpip ipv6 output` function in the os/net/ipv6/tcpip.c module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MBed OS version 6.16.0 **Description** An issue was discovered in the processing of HCI packets. The software dynamically determines the length of the packet data by reading 2 bytes from the packet data. A buffer is then allocated to contain the entire packet. If the allocation fails because the specified packet is too large, no exception handling occurs, leading to a buffer overflow. This can be leveraged into an arbitrary write by an attacker, allowing the overwrite of the pointer to the buffer that is supposed to receive the contents of the packet body and the state variable used by the function to determine which step of the parsing process is currently being executed. **Recommendations** For MBed OS version 6.16.0, as a temporary workaround, consider disabling the processing of HCI packets until a patch is available. Restrict access to the `hciTrSerialRxIncoming` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MBed OS version 6.16.0 **Description** An issue was discovered in the processing of HCI packets. The software dynamically determines the length of the packet header by looking up the identifying first byte and matching it against a table of possible lengths. The initial parsing function, `hciTrSerialRxIncoming`, does not drop packets with invalid identifiers but also does not set a safe default for the length of unknown packets' headers, leading to a buffer overflow. This can be leveraged into an arbitrary write by an attacker. It is possible to overwrite the pointer to a not-yet-allocated buffer that is supposed to receive the contents of the packet body. One can then overwrite the state variable used by the function to determine which state of packet parsing is currently occurring. Because the buffer is allocated when the last byte of the header has been copied, the combination of having a bad header length variable that will never match the counter variable and being able to overwrite the state variable with the resulting buffer overflow can be used to advance the function to the next step while skipping the buffer allocation and resulting pointer write. The next 16 bytes from the packet body are then written wherever the corrupted data pointer is pointing. **Recommendations** As a temporary workaround, consider disabling the `hciTrSerialRxIncoming` function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MBed OS version 6.16.0 **Description** An issue was discovered in the parsing of hci reports. The hci parsing software dynamically determines the length of a list of reports by reading a byte from an input stream. It then fetches the length of the first report, uses it to calculate the beginning of the second report, etc. However, it does not validate that these addresses are all contained within the buffer passed to `hciEvtProcessLeExtAdvReport`. This can lead to a situation where the buffer designated to hold the reports is allocated in such a way that one of these out-of-bounds length fields is contained within the new buffer. When the (n-1)th report is copied, it overwrites the length field of the nth report. This now corrupted length field is then used for a `memcpy` into the new buffer, which may lead to a buffer overflow. **Recommendations** For MBed OS version 6.16.0, as a temporary workaround, consider restricting the use of the `hciEvtProcessLeExtAdvReport` function until a patch is available. Avoid using the `hciEvtProcessLeExtAdvReport` function with unvalidated input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MBed OS version 6.16.0 **Description** An issue was discovered in the processing of HCI packets, where the software dynamically determines the packet data length by reading 2 bytes from the packet header. A buffer is allocated based on this length, plus the header length, and then incremented by the size of `wsfMsg t`. This may cause an integer overflow, resulting in a buffer that is too small to contain the entire packet, potentially leading to a buffer overflow of up to 65 KB. This bug can be exploited for a denial of service, but further exploitation is generally not possible due to the dynamic allocation of the exploitable buffer. **Recommendations** For MBed OS version 6.16.0, consider disabling the processing of HCI packets until a patch is available to prevent potential denial of service attacks. Restrict access to the vulnerable buffer allocation function to minimize the risk of exploitation. Avoid using the `wsfMsgAlloc` function with dynamically determined packet lengths until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MBed OS version 6.16.0 **Description** An issue was discovered in the hci parsing software of MBed OS, where it dynamically determines the length of certain hci packets by reading a byte from its header. The software assumes this value to be greater than or equal to 3 but does not ensure this, leading to a buffer overflow when a length less than 3 is supplied. Additionally, supplying large length values can cause an integer overflow because the provided length value is increased by a few bytes. This issue can be exploited for a denial of service but is unlikely to suffice to bring the system down and cannot be exploited further due to the dynamic allocation of the exploitable buffer. **Recommendations** For MBed OS version 6.16.0, as a temporary workaround, consider restricting the input to the hci parsing software to prevent supplying lengths less than 3 or large values that could cause an integer overflow, until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mbed OS version 6.16.0 **Description** An issue was discovered in the hci parsing software of Mbed OS, where it dynamically determines the length of certain hci packets by reading a byte from its header. This can lead to a buffer overflow when the subsequent write operation copies the amount of data specified in the packet header, which may exceed the allocated buffer length. The bug can be exploited for a denial of service, but it is not certain to suffice to bring the system down and can generally not be exploited further because the exploitable buffer is dynamically allocated. **Recommendations** For Mbed OS version 6.16.0, as a temporary workaround, consider restricting the use of the hci parsing software until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RIOT-OS versions 2023.01 and prior **Description** The issue is related to the processing of 6LoWPAN frames in the network stack of RIOT-OS, an operating system for Internet of Things (IoT) devices. An attacker can send a crafted frame that, when forwarded by the device, causes a NULL pointer dereference during packet encoding, leading to a denial of service as the device crashes. There are no known workarounds for this issue. **Recommendations** For versions 2023.01 and prior, apply the patch available at pull request 19678 to resolve the issue. As a temporary workaround, consider restricting the ability of the device to forward crafted 6LoWPAN frames until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** RIOT-OS versions prior to 2023.04 **Description** The issue affects the network stack of RIOT-OS, specifically in the processing of 6LoWPAN frames. An attacker can send a crafted frame, resulting in an integer underflow and out of bounds access in the packet buffer. This can lead to corruption of other packets or the allocator metadata, and potentially cause a denial of service if a pointer is corrupted. **Recommendations** For versions prior to 2023.04, update to version 2023.04 to resolve the issue. As a temporary workaround, consider disabling SRH in the network stack until the update is applied.

**Name of the Vulnerable Software and Affected Versions** RIOT-OS versions prior to 2023.04 **Description** The issue affects the network stack of RIOT-OS, specifically its ability to process 6LoWPAN frames. An attacker can send a crafted frame to trigger a NULL pointer dereference, leading to denial of service. There are no known workarounds for this issue. **Recommendations** For versions prior to 2023.04, update to version 2023.04 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** RIOT-OS versions prior to 2023.04 **Description** The issue is related to the processing of 6LoWPAN frames in the network stack of RIOT-OS, an operating system for Internet of Things (IoT) devices. An attacker can send crafted frames to trigger the usage of an uninitialized object, leading to denial of service. This is caused by pointer dereference errors. **Recommendations** For versions prior to 2023.04, update to version 2023.04 to resolve the issue. As a temporary workaround, consider disabling fragment forwarding or SFR to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RIOT-OS versions 2023.01 and prior **Description** The issue concerns the network stack of RIOT-OS, specifically its ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device, resulting in an out of bounds write in the packet buffer. This overflow can be used to corrupt other packets and the allocator metadata, leading to denial of service or potentially allowing the attacker to write data to arbitrary locations and execute arbitrary code. **Recommendations** For versions 2023.01 and prior, as a temporary workaround, consider disabling support for fragmented IP datagrams to minimize the risk of exploitation. Update to a version that includes the fix from pull request 19680 to fully resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions 4.8 and prior **Description** The issue arises from the message handling code for IPv6 router solicitations in Contiki-NG, which contains an implementation of IPv6 Neighbor Discovery (ND) in the module `os/net/ipv6/uip-nd6.c`. The ND protocol includes a message type called Router Solicitation (RS), used to locate routers and update their address information via the SLLAO (Source Link-Layer Address Option). If the indicated source address changes, a given neighbor entry is set to the STALE state. The message handler does not check for RS messages with an SLLAO that indicates a link-layer address change, leading to the dereference of a NULL pointer of type `uip ds6 nbr t`. **Recommendations** For Contiki-NG versions 4.8 and prior, apply Contiki-NG pull request #2271 to patch the problem directly as a workaround. The problem has been patched in the `develop` branch of Contiki-NG, and will be included in the upcoming 4.9 release.

**Name of the Vulnerable Software and Affected Versions** RIOT-OS versions prior to 2022.10 **Description** RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device, resulting in a NULL pointer dereference while encoding a 6LoWPAN IPHC header. The NULL pointer dereference causes a hard fault exception, leading to denial of service. **Recommendations** For versions prior to 2022.10, update to version 2022.10 to resolve the issue. As a temporary workaround, apply the patches manually.

**Name of the Vulnerable Software and Affected Versions** RIOT-OS versions prior to 2022.10 **Description** The network stack in RIOT-OS, which supports Internet of Things devices, contains a flaw in its ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device, resulting in an out of bounds write in the packet buffer. This overflow can corrupt other packets and the allocator metadata, leading to denial of service by corrupting a pointer. Furthermore, careful manipulation of the allocator metadata allows an attacker to write data to arbitrary locations, thus enabling the execution of arbitrary code. **Recommendations** For versions prior to 2022.10, update to version 2022.10 to fix the issue. As a temporary workaround, consider disabling support for fragmented IP datagrams until the update is applied. Alternatively, apply the patches manually to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** RIOT-OS versions prior to 2022.10 **Description** The issue concerns a network stack in RIOT-OS that processes 6LoWPAN frames. An attacker can send a crafted frame, resulting in a NULL pointer dereference during the forwarding of a fragment. This occurs because an uninitialized entry in the reassembly buffer is used, triggering a hard fault exception and leading to denial of service. **Recommendations** For versions prior to 2022.10, update to version 2022.10 to resolve the issue. As a temporary workaround, consider disabling support for fragmented IP datagrams until the update is applied. Alternatively, apply the patches manually to fix the issue.

**Name of the Vulnerable Software and Affected Versions** RIOT-OS versions prior to 2022.10 **Description** The issue arises from a type confusion between IPv6 extension headers and a UDP header while encoding a 6LoWPAN IPHC header in the network stack. This type confusion results in an out of bounds write in the packet buffer, potentially leading to denial of service by corrupting other packets and the allocator metadata. Furthermore, an attacker can manipulate the allocator metadata to write data to arbitrary locations, thus enabling the execution of arbitrary code. **Recommendations** For versions prior to 2022.10, update to version 2022.10 to resolve the issue. As a temporary workaround for versions prior to 2022.10, apply the patches manually.

**Name of the Vulnerable Software and Affected Versions** RIOT-OS versions prior to 2022.10 **Description** The issue affects the network stack of RIOT-OS, an operating system for Internet of Things devices, which can process 6LoWPAN frames. An attacker can send a crafted frame, resulting in a large out of bounds write beyond the packet buffer. This write creates a hard fault exception after reaching the last page of RAM. Since the hard fault is not handled, the system becomes stuck until it is reset, leading to a denial of service. **Recommendations** For versions prior to 2022.10, update to version 2022.10 to resolve the issue. As a temporary workaround for versions prior to 2022.10, apply the patch manually.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions 4.8 and prior **Description** Contiki-NG is an open-source, cross-platform operating system for internet of things (IoT) devices. In the affected versions, an out-of-bounds write can occur in the BLE L2CAP module of the Contiki-NG operating system. The network stack of Contiki-NG uses a global buffer (packetbuf) for processing of packets, with the size of `PACKETBUF SIZE`. When using the BLE L2CAP module with the default configuration, the `PACKETBUF SIZE` value becomes larger than the actual size of the packetbuf. When large packets are processed by the L2CAP module, a buffer overflow can occur when copying the packet data to the packetbuf. **Recommendations** For Contiki-NG versions 4.8 and prior, the problem can be worked around by applying the patch manually. As a temporary workaround, consider disabling the BLE L2CAP module until a patch is available. The vulnerability has been patched in the "develop" branch of Contiki-NG, and will be included in release 4.9.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions prior to and including 4.8 **Description** The issue concerns an out-of-bounds write in the BLE-L2CAP module of Contiki-NG, an open-source operating system for IoT devices. This module handles packet fragmentation up to the configured MTU size. When fragments are reassembled, they are stored in a packet buffer without verifying if the buffer is large enough, potentially leading to an out-of-bounds write of up to 1152 bytes in the default configuration. **Recommendations** For versions prior to and including 4.8, apply the patch in Contiki-NG pull request #2254 to fix the issue. As a temporary workaround, consider restricting the use of the BLE-L2CAP module until the patch is applied.