CVE-2021-42143

Name of the Vulnerable Software and Affected Versions Contiki-NG tinyDTLS through master branch 53a0d97

Description An issue exists in the handling of a ClientHello handshake message, where an infinite loop bug can be triggered by remote attackers sending a malformed message with an odd length of cipher suites. This results in a denial of service, consuming all resources, and a buffer over-read that can disclose sensitive information.

Recommendations For Contiki-NG tinyDTLS through master branch 53a0d97, consider disabling the handling of ClientHello handshake messages with odd length cipher suites as a temporary workaround until a patch is available. Restrict access to the tinyDTLS module to minimize the risk of exploitation. Avoid using the cipher suites variable in the affected handshake message until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.