CVE-2020-14936

Name of the Vulnerable Software and Affected Versions Contiki-NG versions 4.4 through 4.5

Description A buffer overflow issue was found in the SNMP agent of Contiki-NG, specifically in functions that parse OIDs in SNMP requests. The snmp oid decode oid() function lacks sufficient verification of the target buffer capacity, which can lead to memory overwrites beyond the allocated buffer when called from snmp message decode() upon receiving an SNMP request. This allows for remote overwrite of an IoT device's memory regions, including stack and statically allocated variables, by sending a crafted SNMP request.

Recommendations For Contiki-NG versions 4.4 through 4.5, consider disabling the SNMP agent until a patch is available to prevent potential remote exploitation. Restrict access to the snmp oid decode oid() function and snmp message decode() to minimize the risk of buffer overflow. Avoid using the SNMP protocol with untrusted sources until the issue is resolved.