CVE-2020-14934

Name of the Vulnerable Software and Affected Versions Contiki-NG versions 4.4 through 4.5

Description A buffer overflow issue was discovered in the SNMP agent of Contiki-NG. The function that parses received SNMP requests does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer. If the number of variables in the request exceeds the allocated buffer, a memory write out of the buffer boundaries occurs, allowing the sender to overwrite other variables allocated in the .bss section. This issue may enable the overwriting of sensitive memory areas of an IoT device due to the lack of strict process memory separation.

Recommendations For Contiki-NG versions 4.4 through 4.5, as a temporary workaround, consider disabling the SNMP agent until a patch is available. Restrict access to the SNMP functionality to minimize the risk of exploitation. Avoid using the affected function that parses SNMP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.