CVE-2022-41873
Vulnerability from cvelistv5
Published
2022-11-11 00:00
Modified
2024-08-03 12:56
Severity ?
4.2 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Out-of-bounds read and write in BLE L2CAP module
References
security-advisories@github.comhttps://github.com/contiki-ng/contiki-ng/pull/2081Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-m5cj-fw8m-ffgfThird Party Advisory
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:56:38.311Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-m5cj-fw8m-ffgf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/contiki-ng/contiki-ng/pull/2081"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "contiki-ng",
          "vendor": "contiki-ng",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to 4.9 are vulnerable to an Out-of-bounds read. While processing the L2CAP protocol, the Bluetooth Low Energy stack of Contiki-NG needs to map an incoming channel ID to its metadata structure. While looking up the corresponding channel structure in get_channel_for_cid (in os/net/mac/ble/ble-l2cap.c), a bounds check is performed on the incoming channel ID, which is meant to ensure that the channel ID does not exceed the maximum number of supported channels.However, an integer truncation issue leads to only the lowest byte of the channel ID to be checked, which leads to an incomplete out-of-bounds check. A crafted channel ID leads to out-of-bounds memory to be read and written with attacker-controlled data. The vulnerability has been patched in the \"develop\" branch of Contiki-NG, and will be included in release 4.9. As a workaround, Users can apply the patch in Contiki-NG pull request 2081 on GitHub."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-11T00:00:00",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-m5cj-fw8m-ffgf"
        },
        {
          "url": "https://github.com/contiki-ng/contiki-ng/pull/2081"
        }
      ],
      "source": {
        "advisory": "GHSA-m5cj-fw8m-ffgf",
        "discovery": "UNKNOWN"
      },
      "title": "Out-of-bounds read and write in BLE L2CAP module"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-41873",
    "datePublished": "2022-11-11T00:00:00",
    "dateReserved": "2022-09-30T00:00:00",
    "dateUpdated": "2024-08-03T12:56:38.311Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-41873\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-11-11T04:15:11.973\",\"lastModified\":\"2022-11-18T14:05:22.993\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to 4.9 are vulnerable to an Out-of-bounds read. While processing the L2CAP protocol, the Bluetooth Low Energy stack of Contiki-NG needs to map an incoming channel ID to its metadata structure. While looking up the corresponding channel structure in get_channel_for_cid (in os/net/mac/ble/ble-l2cap.c), a bounds check is performed on the incoming channel ID, which is meant to ensure that the channel ID does not exceed the maximum number of supported channels.However, an integer truncation issue leads to only the lowest byte of the channel ID to be checked, which leads to an incomplete out-of-bounds check. A crafted channel ID leads to out-of-bounds memory to be read and written with attacker-controlled data. The vulnerability has been patched in the \\\"develop\\\" branch of Contiki-NG, and will be included in release 4.9. As a workaround, Users can apply the patch in Contiki-NG pull request 2081 on GitHub.\"},{\"lang\":\"es\",\"value\":\"Contiki-NG es un sistema operativo multiplataforma de c\u00f3digo abierto para dispositivos Next-Generation IoT. Las versiones anteriores a la 4.9 son vulnerables a una lectura fuera de los l\u00edmites. Mientras procesa el protocolo L2CAP, la pila Bluetooth Low Energy de Contiki-NG necesita asignar un ID de canal entrante a su estructura de metadatos. Mientras se busca la estructura del canal correspondiente en get_channel_for_cid (en os/net/mac/ble/ble-l2cap.c), se realiza una verificaci\u00f3n de los l\u00edmites en el ID del canal entrante, cuyo objetivo es garantizar que el ID del canal no exceda el n\u00famero m\u00e1ximo de canales admitidos. Sin embargo, un problema de truncamiento de enteros hace que solo se verifique el byte m\u00e1s bajo del ID del canal, lo que genera una verificaci\u00f3n fuera de los l\u00edmites incompleta. Una ID de canal manipulada conduce a una memoria fuera de los l\u00edmites para leer y escribir con datos controlados por el atacante. La vulnerabilidad ha sido parcheada en la rama \\\"develop\\\" de Contiki-NG y se incluir\u00e1 en la versi\u00f3n 4.9. Como workaround, los usuarios pueden aplicar el parche en la solicitud de extracci\u00f3n 2081 de Contiki-NG en GitHub.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.2,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.6,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"},{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:contiki-ng:contiki-ng:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.9\",\"matchCriteriaId\":\"379D2D9F-EFB4-4C8B-B9FB-82ABC0131AAB\"}]}]}],\"references\":[{\"url\":\"https://github.com/contiki-ng/contiki-ng/pull/2081\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-m5cj-fw8m-ffgf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.