CVE-2024-38373

Name of the Vulnerable Software and Affected Versions FreeRTOS-Plus-TCP versions 4.0.0 through 4.1.0

Description The issue is related to a buffer over-read in the DNS Response Parser of the FreeRTOS-Plus-TCP stack when parsing domain names in a DNS response. A carefully crafted DNS response with a domain name length value greater than the actual domain name length could cause the parser to read beyond the DNS response buffer. This affects applications using the DNS functionality of the FreeRTOS-Plus-TCP stack. Applications not using DNS functionality are not affected.

Recommendations For FreeRTOS-Plus-TCP versions 4.0.0 through 4.1.0, update to version 4.1.1 to resolve the issue. As a temporary workaround, consider disabling the DNS functionality until a patch is available. Restrict access to the DNS Response Parser to minimize the risk of exploitation. Avoid using the DNS functionality in the affected API endpoints until the issue is resolved.