Remote Code Execution Vulnerability in Contiki-NG tinyDTLS
CVE-2021-42146

7.5HIGH

Key Information:

Vendor: Contiki-ng
Status: Tinydtls
Vendor: CVE Published:; 24 January 2024

What is CVE-2021-42146?

A vulnerability in Contiki-NG's tinyDTLS exposes DTLS servers to potential attacks by allowing the reuse of the same epoch number within a timeframe that exceeds the permissible limits defined in RFC6347. This enables remote attackers to access sensitive data of connected clients, posing a significant risk to the integrity and confidentiality of application-level data. The breach is particularly concerning as it circumvents established protocols meant to safeguard against such actions, highlighting the need for immediate attention and remediation by users of the affected software.

References

https://seclists.org/fulldisclosure/2024/Jan/19

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2024
Vulnerability Reserved
Oct 11, 2021

Contiki-ng

What is CVE-2021-42146?

References

CVSS V3.1

Timeline