CVE-2020-14935

Name of the Vulnerable Software and Affected Versions Contiki-NG versions 4.4 through 4.5

Description A buffer overflow issue was discovered in the SNMP bulk get request response encoding function. The function does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer, leading to a potential overflow condition when assembling a bulk get request response. This can cause a stack buffer overflow, allowing an attacker to overwrite the return address from the function and potentially redirect the code execution path. On architectures with common addressing space for program and data memory, it may also be possible to inject code remotely.

Recommendations For Contiki-NG versions 4.4 through 4.5, consider disabling the SNMP bulk get request functionality until a patch is available to prevent potential exploitation. Restrict access to the snmp engine get bulk() function to minimize the risk of overflow. Avoid using the SNMP bulk get request feature in the affected versions to prevent potential code execution redirection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.