CVE-2023-37459 - Contiki-NG IoT Operating System Exposed to Out-of-Bounds Read Vulnerability

Contiki-NG, an open-source operating system designed specifically for internet-of-things (IoT) devices, is vulnerable to an out-of-bounds read issue. This is due to inadequate verification of incoming TCP packets in versions 4.9 and earlier. This vulnerability has been assigned the identifier CVE-2023-37459 and could allow an attacker to cause crashes, potential information leak, or execute arbitrary code.

What is Contiki-NG?

Contiki-NG (https://www.contiki-ng.org/) is an IoT operating system designed to be highly efficient, providing features like communication stack, energy efficiency, and support for a variety of hardware platforms. It is often used in smart cities, homes, industrial automation, and other IoT applications.

Vulnerability Details

CVE-2023-37459 allows an attacker to exploit the network stack of Contiki-NG by sending a truncated TCP packet. This issue arises due to the implementation of the check_for_tcp_syn function when parsing the incoming TCP packet. The Contiki-NG network stack attempts to start the periodic TCP timer if it is a TCP packet with the SYN flag set but fails to verify that a full TCP header has been received.

Here is a code snippet from the check_for_tcp_syn function in the vulnerable implementation

if(tcp_flags(uip_buf, uip_len) & TCP_SYN_FLAG) {
  start_periodic_tcp_timer();
}

This code lacks a verification step to ensure the incoming packet has a full TCP header. Since the implementation attempts to access the flags field from the TCP buffer without any verification and validation, it is possible for an attacker to inject a truncated TCP packet, causing an out-of-bound read from the packet buffer.

Mitigation

As of the time of publication, there is no patched version of Contiki-NG available to address this vulnerability. However, a temporary workaround is available by manually applying changes found in Contiki-NG pull request #251 (https://github.com/contiki-ng/contiki-ng/pull/251).

This pull request introduces the necessary verification and validation steps before starting the periodic TCP timer, ensuring that the received packet has a full TCP header.

#define UIP_TCPH_LEN 20
...
if(uip_len >= UIP_TCPH_LEN && tcp_flags(uip_buf, uip_len) & TCP_SYN_FLAG) {
  start_periodic_tcp_timer();
}

This code snippet from the proposed patch checks whether the received packet is at least the size of a full TCP header before attempting to access the flags field.

Conclusion

CVE-2023-37459 is a critical vulnerability affecting Contiki-NG or any IoT device using its network stack. The out-of-bounds read issue can be exploited by an attacker through the injection of a truncated TCP packet. Until a patched version of Contiki-NG is available, apply the workaround mentioned above to ensure the security of your IoT devices. Regularly check Contiki-NG releases and updates for the patch and apply it as soon as it is available to protect your IoT devices from potential attacks.

Timeline

Published on: 09/15/2023 20:15:08 UTC
Last modified on: 09/19/2023 15:14:43 UTC