CVE-2023-37281: Contiki-NG IoT Operating System Out-of-Bounds Read Vulnerability in IPv6 Header Field Decompression

Contiki-NG is an open-source operating system for internet-of-things (IoT) devices, designed with a focus on low-power systems and reliable communication. Recently, a security vulnerability has been identified in versions 4.9 and earlier that could lead to an out-of-bounds read when processing IPv6 header fields during IPHC header decompression.

In this post, we will take a closer look at the vulnerability, its impact, and a possible workaround until an official patch is released.

Exploit Details

During the IPHC header decompression process, Contiki-NG ensures that the received packet buffer contains enough data for each specific header field. However, no similar check is done before decompressing the IPv6 address. As a result, the following line can read up to 16 bytes out of bounds:

memcpy(&ipaddr->u8[16 - postcount], iphc_ptr, postcount);

The postcount value depends on the address compression used in the received packet and can be controlled by an attacker. By crafting a specially made packet, an attacker can force the IoT device to perform an out-of-bound read.

Impact

The out-of-bounds read vulnerability can lead to a number of potential issues for affected IoT devices, including:

Leaking sensitive data stored in memory, such as cryptographic keys or private information

- Potential remote code execution, depending on the target device's specific memory layout and capabilities

It should be noted that as of the time of publication, a patched version of Contiki-NG is not yet available.

Workaround

In the absence of an official patch, a temporary workaround is available in Contiki-NG pull request #2509, which addresses the vulnerability by adding a check for the decompression process.

Add the following lines of code before the memcpy statement

if ((iphc_ptr + postcount) > (uip_buf + uip_len)) {
  PRINTF("6LoRH byte counting failed.\n");
  goto discard;
}

Save the changes and recompile your Contiki-NG system.

You can find the complete changes in the pull request #2509 on the official Contiki-NG GitHub repository.

Conclusion

CVE-2023-37281 is a serious vulnerability in Contiki-NG that exposes IoT devices to out-of-bounds read attacks. While no patched version is currently available, the workaround provided in this post can help mitigate the risk until an official update is released.

As always, it's critical to stay informed about the latest security updates for the software and hardware you use, and consider subscribing to relevant security mailing lists or channels to stay up to date on the latest developments.

Timeline

Published on: 09/15/2023 20:15:08 UTC
Last modified on: 09/19/2023 15:14:11 UTC