Joakimeriksson

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions prior to 4.9 **Description** The issue is related to a buffer overflow in the os/net/ipv6/uip6.c component of Contiki-NG, an open-source operating system for IoT devices. This occurs when handling the Maximum Segment Size (MSS) parameter values from incoming packets. The problem arises because the system does not verify that certain buffer indices are within the bounds of the IPv6 packet buffer, uip buf, leading to a 2-byte read out of bounds. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Contiki-NG versions prior to 4.9, upgrade to version 4.9 when it becomes available to resolve the issue. As a temporary workaround, consider manually patching with the diff in commit `cde4e9839`. There are no other workarounds aside from this manual patching.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions 4.8 and prior **Description** An off-by-one error can be triggered in the Antelope database management system in the Contiki-NG operating system. The problem exists in the Contiki File System (CFS) backend for the storage of data, specifically in the file os/storage/antelope/storage-cfs.c. In the functions `storage get index` and `storage put index`, a buffer for merging two strings is allocated with one byte less than the maximum size of the merged strings, causing subsequent function calls to the cfs open function to read from memory beyond the buffer size. **Recommendations** For Contiki-NG versions 4.8 and prior, apply the patch in Contiki-NG pull request #2425 as a workaround to fix the issue.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions prior to 4.8 **Description** The 6LoWPAN implementation in Contiki-NG may cast a UDP header structure at a certain offset in a packet buffer without checking if the packet buffer is large enough to fit a full UDP header structure from the offset where the casting is made. This can cause an out-of-bounds read beyond the packet buffer. The issue affects devices running Contiki-NG that may receive 6LoWPAN packets from external parties. **Recommendations** For Contiki-NG versions prior to 4.8, update to Contiki-NG version 4.8 to resolve the issue. As a temporary workaround, consider restricting the reception of 6LoWPAN packets from external parties until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions prior to 4.8 **Description** The low-power IPv6 network stack of Contiki-NG has a buffer module that processes IPv6 extension headers in incoming data packets. The function `uipbuf get next header` casts a pointer to a `uip ext hdr` structure into the packet buffer at different offsets where extension headers are expected to be found, and then reads from this structure. Due to a lack of bounds checking, the casting can be done so that the structure extends beyond the packet's end. With a carefully crafted packet, it is possible to cause the Contiki-NG system to read data outside the packet buffer. **Recommendations** For versions prior to 4.8, update to Contiki-NG 4.8 to fix the issue. As a temporary workaround, consider restricting the processing of IPv6 extension headers in incoming data packets until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions prior to 4.8 **Description** The issue is related to insufficient validation of IPv6 neighbor discovery options, allowing attackers to send neighbor solicitation packets that trigger an out-of-bounds read. This problem exists in the module os/net/ipv6/uip-nd6.c, specifically with memory read operations from the main packet buffer, `uip buf`, which are not checked for out-of-bounds access. The attack can occur when reading the 2-byte option header and the Source Link-Layer Address Option (SLLAO), and it requires IPv6 to be enabled for the network. **Recommendations** For versions prior to 4.8, upgrade to version 4.8 or later, which includes the patch for this issue. As a temporary workaround, users unable to upgrade may apply the patch in Contiki-NG PR #1654.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions prior to 4.7 **Description** Contiki-NG is an open-source, cross-platform operating system for IoT devices. A buffer overflow can occur when copying an IPv6 address prefix in the RPL-Classic implementation. To trigger this issue, the Contiki-NG system must have joined an RPL DODAG, and then an attacker can send a DAO packet with a Target option containing a prefix length larger than 128 bits. **Recommendations** For versions prior to 4.7, update to Contiki-NG 4.7 or apply the patch in Contiki-NG PR #1615 to resolve the issue. As a temporary workaround, consider restricting the ability to send DAO packets with large prefix lengths until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions prior to 4.7 **Description** The issue is related to the RPL-Classic routing protocol implementation in the Contiki-NG operating system. Specifically, an incoming DODAG Information Option (DIO) control message can contain a prefix information option with a length parameter that is not validated. This can cause a buffer overflow when copying the prefix in the `set ip from prefix` function. The estimated number of potentially affected devices is not provided, and there is no information about real-world incidents where this issue was exploited. **Recommendations** To resolve the issue, users should upgrade to Contiki-NG 4.7 or later. As a temporary workaround, consider restricting the reception of RPL DIO messages from external parties until a patched version is installed. There are no other workarounds for this issue.

Name of the Vulnerable Software and Affected Versions: Contiki-NG versions prior to 4.6 Description: The issue allows an attacker to perform a denial-of-service attack by triggering an infinite loop in the processing of IPv6 neighbor solicitation (NS) messages. This can effectively shut down the operation of the system due to the cooperative scheduling used for the main parts of Contiki-NG and its communication stack. Recommendations: For versions prior to 4.6, apply the patch for this issue out-of-band as a workaround. Update to Contiki-NG version 4.6 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions 4.6 and prior **Description** An out-of-bounds read can be triggered by 6LoWPAN packets sent to devices running Contiki-NG. The IPv6 header decompression function (`uncompress hdr iphc`) does not perform proper boundary checks when reading from the packet buffer, allowing the construction of a compressed 6LoWPAN packet that reads more bytes than available from the packet buffer. **Recommendations** For Contiki-NG versions 4.6 and prior, users can apply the patch for this issue out-of-band as a workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Contiki-NG versions prior to 4.6 Description: A buffer overflow issue exists in Contiki-NG, an open-source operating system for internet of things devices. After establishing a TCP socket using the tcp-socket library, a remote endpoint can send a packet with an unvalidated data offset. Recommendations: For versions prior to 4.6, apply the patch for this issue out-of-band as a workaround.

Name of the Vulnerable Software and Affected Versions: Contiki-NG versions prior to 4.6 Description: The issue affects Contiki-NG, an open-source operating system for internet of things devices. It is possible to cause an out-of-bounds write when transmitting a 6LoWPAN packet with a chain of extension headers. The written header is not checked to be within the available space, making it possible to write outside the buffer. Recommendations: For versions prior to 4.6, apply the patch for this issue out-of-band as a workaround. For versions prior to 4.6, update to Contiki-NG 4.6 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions prior to 4.5 **Description** The issue is related to a buffer overflow that can be triggered by an input packet when using either of Contiki-NG's two RPL implementations in source-routing mode. This is due to a lack of size checking for copied data. The problem can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 4.5, apply the patch for this issue out-of-band as a workaround. As a temporary workaround, consider disabling the use of Contiki-NG's RPL implementations in source-routing mode until the patch is applied.