CVE-2021-28362

Name of the Vulnerable Software and Affected Versions: Contiki versions through 3.0

Description: An issue was discovered in Contiki when sending an ICMPv6 error message due to invalid extension header options in an incoming IPv6 packet. There is an attempt to remove the RPL extension headers, but the packet length and the extension header length are unchecked and susceptible to integer underflow. This allows constructing an invalid extension header that can cause memory corruption issues and lead to a Denial-of-Service condition. The issue is related to the rpl-ext-header.c file.

Recommendations: For Contiki versions through 3.0, as a temporary workaround, consider disabling the handling of ICMPv6 error messages for invalid extension header options until a patch is available. Restrict access to the RPL extension headers to minimize the risk of exploitation. Avoid using the rpl-ext-header.c file in critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.