CVE-2020-14935

Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled, a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer, an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer, including the return address from the function. As a result, the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory, it may also be possible to supply code in the SNMP request payload, and redirect the execution path to the remotely injected code, by modifying the function's return address.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing	Third Party Advisory
https://github.com/contiki-ng/contiki-ng/issues/1353	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:contiki-ng:contiki-ng:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-08-18 17:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-14935

Mitre link : CVE-2020-14935

CVE.ORG link : CVE-2020-14935

JSON object : View

Products Affected

contiki-ng

contiki-ng

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2020-14935", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-08-18T17:15:11.393", "references": [{"url": "https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/contiki-ng/contiki-ng/issues/1353", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled, a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer, an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer, including the return address from the function. As a result, the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory, it may also be possible to supply code in the SNMP request payload, and redirect the execution path to the remotely injected code, by modifying the function's return address."}, {"lang": "es", "value": "Se detectaron desbordamientos del b\u00fafer en Contiki-NG versiones 4.4 hasta 4.5, en la funci\u00f3n de codificaci\u00f3n de respuesta de petici\u00f3n de obtenci\u00f3n masiva de SNMP. La funci\u00f3n que analiza la petici\u00f3n SNMP recibida no verifica las variables solicitadas contra el mensaje de entrada con la capacidad del b\u00fafer del motor SNMP interno. Cuando se ensambla una respuesta de petici\u00f3n de obtenci\u00f3n masiva, se asigna un b\u00fafer de pila dedicado para OID (con una capacidad limitada) en la funci\u00f3n snmp_engine_get_bulk(). Cuando la funci\u00f3n snmp_engine_get_bulk() est\u00e1 llenando el b\u00fafer de pila, puede ocurrir una condici\u00f3n de desbordamiento debido a una falta de comprobaci\u00f3n de la longitud de entrada. Esto hace posible sobrescribir las regiones de la pila m\u00e1s all\u00e1 del b\u00fafer asignado, incluyendo la direcci\u00f3n de retorno de la funci\u00f3n. Como resultado, la ruta de ejecuci\u00f3n del c\u00f3digo puede ser redirigida a una direcci\u00f3n proporcionada en la carga \u00fatil de obtenci\u00f3n masiva de SNMP. Si la arquitectura de destino usa un espacio de direccionamiento com\u00fan para la memoria de programas y datos, tambi\u00e9n puede ser posible suministrar c\u00f3digo en la carga \u00fatil de la petici\u00f3n SNMP y redireccionar la ruta de ejecuci\u00f3n al c\u00f3digo inyectado remotamente, modificando la direcci\u00f3n de retorno de la funci\u00f3n."}], "lastModified": "2020-08-25T20:02:25.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:contiki-ng:contiki-ng:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "881B1086-BAE1-4159-B69E-E01EE3AB64DD", "versionEndIncluding": "4.5", "versionStartIncluding": "4.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}