CVE-2023-23609
Published on: Not Yet Published
Last Modified on: 02/07/2023 07:59:00 PM UTC
Certain versions of Contiki-ng from Contiki-ng contain the following vulnerability:
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to and including 4.8 are vulnerable to an out-of-bounds write that can occur in the BLE-L2CAP module. The Bluetooth Low Energy - Logical Link Control and Adaptation Layer Protocol (BLE-L2CAP) module handles fragmentation of packets up the configured MTU size. When fragments are reassembled, they are stored in a packet buffer of a configurable size, but there is no check to verify that the packet buffer is large enough to hold the reassembled packet. In Contiki-NG's default configuration, it is possible that an out-of-bounds write of up to 1152 bytes occurs. The vulnerability has been patched in the "develop" branch of Contiki-NG, and will be included in release 4.9. The problem can be fixed by applying the patch in Contiki-NG pull request #2254 prior to the release of version 4.9.
- CVE-2023-23609 has been assigned by
security-adviso[email protected] to track the vulnerability - currently rated as HIGH severity.
- Affected Vendor/Software:
contiki-ng - contiki-ng version = <= 4.8
CVSS3 Score: 7.4 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
ADJACENT_NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
CHANGED | NONE | HIGH | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
Improper size validation of L2CAP frames · Advisory · contiki-ng/contiki-ng · GitHub | github.com text/html |
![]() |
Check available packetbuf space before writing to it in ble-l2cap by nvt · Pull Request #2254 · contiki-ng/contiki-ng · GitHub | github.com text/html |
![]() |
Exploit/POC from Github
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to and …
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Operating System | Contiki-ng | Contiki-ng | All | All | All | All |
- cpe:2.3:o:contiki-ng:contiki-ng:*:*:*:*:*:*:*:*:
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
CVE-2023-23609 : Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Ver… twitter.com/i/web/status/1… | 2023-01-26 22:03:46 |