cve-2020-14935
Vulnerability from cvelistv5
Published
2020-08-18 16:32
Modified
2024-08-04 13:00
Severity ?
EPSS score ?
Summary
Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled, a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer, an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer, including the return address from the function. As a result, the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory, it may also be possible to supply code in the SNMP request payload, and redirect the execution path to the remotely injected code, by modifying the function's return address.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing | Third Party Advisory | |
| cve@mitre.org | https://github.com/contiki-ng/contiki-ng/issues/1353 | Exploit, Third Party Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:00:52.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/contiki-ng/contiki-ng/issues/1353"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message\u0027s requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled, a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer, an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer, including the return address from the function. As a result, the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory, it may also be possible to supply code in the SNMP request payload, and redirect the execution path to the remotely injected code, by modifying the function\u0027s return address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-18T16:32:37",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/contiki-ng/contiki-ng/issues/1353"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14935",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message\u0027s requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled, a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer, an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer, including the return address from the function. As a result, the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory, it may also be possible to supply code in the SNMP request payload, and redirect the execution path to the remotely injected code, by modifying the function\u0027s return address."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing",
"refsource": "MISC",
"url": "https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing"
},
{
"name": "https://github.com/contiki-ng/contiki-ng/issues/1353",
"refsource": "MISC",
"url": "https://github.com/contiki-ng/contiki-ng/issues/1353"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14935",
"datePublished": "2020-08-18T16:32:37",
"dateReserved": "2020-06-21T00:00:00",
"dateUpdated": "2024-08-04T13:00:52.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-14935\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-08-18T17:15:11.393\",\"lastModified\":\"2020-08-25T20:02:25.593\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message\u0027s requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled, a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer, an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer, including the return address from the function. As a result, the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory, it may also be possible to supply code in the SNMP request payload, and redirect the execution path to the remotely injected code, by modifying the function\u0027s return address.\"},{\"lang\":\"es\",\"value\":\"Se detectaron desbordamientos del b\u00fafer en Contiki-NG versiones 4.4 hasta 4.5, en la funci\u00f3n de codificaci\u00f3n de respuesta de petici\u00f3n de obtenci\u00f3n masiva de SNMP. La funci\u00f3n que analiza la petici\u00f3n SNMP recibida no verifica las variables solicitadas contra el mensaje de entrada con la capacidad del b\u00fafer del motor SNMP interno. Cuando se ensambla una respuesta de petici\u00f3n de obtenci\u00f3n masiva, se asigna un b\u00fafer de pila dedicado para OID (con una capacidad limitada) en la funci\u00f3n snmp_engine_get_bulk(). Cuando la funci\u00f3n snmp_engine_get_bulk() est\u00e1 llenando el b\u00fafer de pila, puede ocurrir una condici\u00f3n de desbordamiento debido a una falta de comprobaci\u00f3n de la longitud de entrada. Esto hace posible sobrescribir las regiones de la pila m\u00e1s all\u00e1 del b\u00fafer asignado, incluyendo la direcci\u00f3n de retorno de la funci\u00f3n. Como resultado, la ruta de ejecuci\u00f3n del c\u00f3digo puede ser redirigida a una direcci\u00f3n proporcionada en la carga \u00fatil de obtenci\u00f3n masiva de SNMP. Si la arquitectura de destino usa un espacio de direccionamiento com\u00fan para la memoria de programas y datos, tambi\u00e9n puede ser posible suministrar c\u00f3digo en la carga \u00fatil de la petici\u00f3n SNMP y redireccionar la ruta de ejecuci\u00f3n al c\u00f3digo inyectado remotamente, modificando la direcci\u00f3n de retorno de la funci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":7.5},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:contiki-ng:contiki-ng:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0\",\"versionEndIncluding\":\"4.5\",\"matchCriteriaId\":\"881B1086-BAE1-4159-B69E-E01EE3AB64DD\"}]}]}],\"references\":[{\"url\":\"https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/contiki-ng/contiki-ng/issues/1353\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.