CVE-2018-19417

Name of the Vulnerable Software and Affected Versions Contiki-NG versions prior to 4.2

Description A issue in the MQTT server allows for Remote Code Execution via a stack-smashing attack. The parse publish vhdr() function uses memcpy to input data into a fixed-size buffer without a length check, potentially overwriting the function return address. This could provide access to all memory regions since the MQTT server is not separated from other servers and OS modules.

Recommendations For Contiki-NG versions prior to 4.2, update to version 4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the MQTT server to minimize the risk of exploitation.