CVE-2022-41873

{"id": "CVE-2022-41873", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.6}]}, "published": "2022-11-11T04:15:11.973", "references": [{"url": "https://github.com/contiki-ng/contiki-ng/pull/2081", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-m5cj-fw8m-ffgf", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to 4.9 are vulnerable to an Out-of-bounds read. While processing the L2CAP protocol, the Bluetooth Low Energy stack of Contiki-NG needs to map an incoming channel ID to its metadata structure. While looking up the corresponding channel structure in get_channel_for_cid (in os/net/mac/ble/ble-l2cap.c), a bounds check is performed on the incoming channel ID, which is meant to ensure that the channel ID does not exceed the maximum number of supported channels.However, an integer truncation issue leads to only the lowest byte of the channel ID to be checked, which leads to an incomplete out-of-bounds check. A crafted channel ID leads to out-of-bounds memory to be read and written with attacker-controlled data. The vulnerability has been patched in the \"develop\" branch of Contiki-NG, and will be included in release 4.9. As a workaround, Users can apply the patch in Contiki-NG pull request 2081 on GitHub."}, {"lang": "es", "value": "Contiki-NG es un sistema operativo multiplataforma de c\u00f3digo abierto para dispositivos Next-Generation IoT. Las versiones anteriores a la 4.9 son vulnerables a una lectura fuera de los l\u00edmites. Mientras procesa el protocolo L2CAP, la pila Bluetooth Low Energy de Contiki-NG necesita asignar un ID de canal entrante a su estructura de metadatos. Mientras se busca la estructura del canal correspondiente en get_channel_for_cid (en os/net/mac/ble/ble-l2cap.c), se realiza una verificaci\u00f3n de los l\u00edmites en el ID del canal entrante, cuyo objetivo es garantizar que el ID del canal no exceda el n\u00famero m\u00e1ximo de canales admitidos. Sin embargo, un problema de truncamiento de enteros hace que solo se verifique el byte m\u00e1s bajo del ID del canal, lo que genera una verificaci\u00f3n fuera de los l\u00edmites incompleta. Una ID de canal manipulada conduce a una memoria fuera de los l\u00edmites para leer y escribir con datos controlados por el atacante. La vulnerabilidad ha sido parcheada en la rama \"develop\" de Contiki-NG y se incluir\u00e1 en la versi\u00f3n 4.9. Como workaround, los usuarios pueden aplicar el parche en la solicitud de extracci\u00f3n 2081 de Contiki-NG en GitHub."}], "lastModified": "2022-11-18T14:05:22.993", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:contiki-ng:contiki-ng:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "379D2D9F-EFB4-4C8B-B9FB-82ABC0131AAB", "versionEndExcluding": "4.9"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}