Mjurczak

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions 4.4 through 4.5 **Description** A buffer overflow issue was discovered in the SNMP agent of Contiki-NG. The function that parses received SNMP requests does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer. If the number of variables in the request exceeds the allocated buffer, a memory write out of the buffer boundaries occurs, allowing the sender to overwrite other variables allocated in the .bss section. This issue may enable the overwriting of sensitive memory areas of an IoT device due to the lack of strict process memory separation. **Recommendations** For Contiki-NG versions 4.4 through 4.5, as a temporary workaround, consider disabling the SNMP agent until a patch is available. Restrict access to the SNMP functionality to minimize the risk of exploitation. Avoid using the affected function that parses SNMP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions 4.4 through 4.5 **Description** A memory access issue was discovered in the SNMP BER encoder/decoder, where the length of provided input/output buffers is insufficiently verified during encoding and decoding of data. This may lead to out-of-bounds buffer read or write access in BER decoding and encoding functions. **Recommendations** For Contiki-NG versions 4.4 through 4.5, as a temporary workaround, consider restricting the use of the SNMP BER encoder/decoder until a patch is available. Avoid using the affected functions for encoding and decoding data until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions 4.4 through 4.5 **Description** A buffer overflow issue was found in the SNMP agent of Contiki-NG, specifically in functions that parse OIDs in SNMP requests. The `snmp oid decode oid()` function lacks sufficient verification of the target buffer capacity, which can lead to memory overwrites beyond the allocated buffer when called from `snmp message decode()` upon receiving an SNMP request. This allows for remote overwrite of an IoT device's memory regions, including stack and statically allocated variables, by sending a crafted SNMP request. **Recommendations** For Contiki-NG versions 4.4 through 4.5, consider disabling the SNMP agent until a patch is available to prevent potential remote exploitation. Restrict access to the `snmp oid decode oid()` function and `snmp message decode()` to minimize the risk of buffer overflow. Avoid using the SNMP protocol with untrusted sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Contiki-NG versions 4.4 through 4.5 **Description** A buffer overflow issue was discovered in the SNMP bulk get request response encoding function. The function does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer, leading to a potential overflow condition when assembling a bulk get request response. This can cause a stack buffer overflow, allowing an attacker to overwrite the return address from the function and potentially redirect the code execution path. On architectures with common addressing space for program and data memory, it may also be possible to inject code remotely. **Recommendations** For Contiki-NG versions 4.4 through 4.5, consider disabling the SNMP bulk get request functionality until a patch is available to prevent potential exploitation. Restrict access to the `snmp engine get bulk()` function to minimize the risk of overflow. Avoid using the SNMP bulk get request feature in the affected versions to prevent potential code execution redirection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RIOT version 2020.04 **Description** The issue is related to a buffer overflow in the base64 decoder. The `base64 decode()` function uses an output buffer estimation function `base64 estimate decode size()` to compute the required buffer capacity and validate against the provided buffer size. However, `base64 estimate decode size()` calculates the expected decoded size with an arithmetic round-off error and does not account for possible padding bytes, potentially leading to a buffer overflow when crafted base64 input is used. **Recommendations** For RIOT version 2020.04, consider disabling the `base64 decode()` function until a patch is available to prevent potential buffer overflow exploitation. Restrict the use of the base64 decoder to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arm Mbed OS version 5.15.3 Arm mbed-coap library version 5.1.5 **Description** A memory leak issue was discovered in the CoAP library of Arm Mbed OS when using the Arm mbed-coap library. The CoAP parser, specifically the function `sn coap parser options parse()`, is responsible for parsing received CoAP packets. Due to a lack of overflow detection, it is possible to craft a packet that wraps the option number around, resulting in the same option number being processed again in a single packet. Certain options, such as `COAP OPTION URI QUERY`, `COAP OPTION URI PATH`, `COAP OPTION LOCATION QUERY`, and `COAP OPTION ETAG`, allocate memory without checking if it has already been allocated, leading to multiple assignments of allocated memory to a single pointer and resulting in a memory leak by buffer orphaning. **Recommendations** For Arm Mbed OS version 5.15.3, consider disabling the `sn coap parser options parse()` function until a patch is available. For Arm mbed-coap library version 5.1.5, restrict access to the CoAP parser to minimize the risk of exploitation. Avoid using the affected options, such as `COAP OPTION URI QUERY`, `COAP OPTION URI PATH`, `COAP OPTION LOCATION QUERY`, and `COAP OPTION ETAG`, in the CoAP packets until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arm Mbed OS version 5.15.3 **Description** A buffer over-read was discovered in the CoAP library. The CoAP parser is responsible for parsing received CoAP packets. The function `sn coap parser options parse()` parses the CoAP packet header starting from the message token. The length of the token in the received message is provided in the first byte parsed by the `sn coap parser options parse()` function. The length encoded in the message is not validated against the actual input buffer length before accessing the token. As a result, memory access outside of the intended boundary of the buffer may occur. **Recommendations** For Arm Mbed OS version 5.15.3, as a temporary workaround, consider disabling the `sn coap parser options parse()` function until a patch is available. Restrict access to the CoAP library to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arm Mbed OS version 5.15.3 **Description** An infinite loop was discovered in the CoAP library. The CoAP parser is responsible for parsing received CoAP packets. The function `sn coap parser options parse multiple options()` parses CoAP options in a while loop. This loop's exit condition is computed using the previously allocated heap memory required for storing the result of parsing multiple options. If the input heap memory calculation results in zero bytes, the loop exit condition is never met and the loop is not terminated. As a result, the packet parsing function never exits, leading to resource consumption. **Recommendations** For Arm Mbed OS version 5.15.3, consider disabling the `sn coap parser options parse multiple options()` function until a patch is available to prevent potential resource consumption due to the infinite loop.

**Name of the Vulnerable Software and Affected Versions** Arm Mbed OS version 5.15.3 **Description** A buffer over-read was discovered in the CoAP library. The CoAP parser is responsible for parsing received CoAP packets. The function `sn coap parser options parse multiple options()` parses CoAP options that may occur multiple consecutive times in a single packet. While processing the options, `packet data pptr` is accessed after being incremented by `option len` without a prior out-of-bounds memory check. The `temp parsed uri query ptr` is validated for a correct range, but the range valid for `temp parsed uri query ptr` is derived from the amount of allocated heap memory, not the actual input size. Therefore the check of `temp parsed uri query ptr` may be insufficient for safe access to the area pointed to by `packet data pptr`. As a result, access to a memory area outside of the intended boundary of the packet buffer is made. **Recommendations** As a temporary workaround, consider disabling the `sn coap parser options parse multiple options()` function until a patch is available. Restrict access to the CoAP library to minimize the risk of exploitation. Avoid using the `packet data pptr` and `temp parsed uri query ptr` variables in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arm Mbed OS version 5.15.3 **Description** Buffer over-reads were discovered in the CoAP library. The CoAP parser is responsible for parsing received CoAP packets. The function `sn coap parser options parse()` parses CoAP input linearly using a while loop. The actual input packet length is not verified against the number of bytes read when processing the option extended delta and the option extended length. Moreover, the calculation of the `message left` variable, in the case of non-extended option deltas, is incorrect and indicates more data left for processing than provided in the function input. This leads to heap-based or stack-based memory location read access that is outside of the intended boundary of the buffer, potentially resulting in processing of unintended inputs or system memory access violation errors. **Recommendations** For Arm Mbed OS version 5.15.3, as a temporary workaround, consider disabling the `sn coap parser options parse()` function until a patch is available. Restrict access to the CoAP library to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.