Buffer Over-read Vulnerability in FreeRTOS-Plus-TCP DNS Response Parser
CVE-2024-38373

8.1HIGH

Key Information:

Vendor: Freertos
Status: Freertos-plus-tcp
Vendor: CVE Published:; 24 June 2024

What is CVE-2024-38373?

FreeRTOS-Plus-TCP, a tcp/ip stack designed for FreeRTOS, has been identified with a buffer over-read vulnerability specifically in its DNS Response Parser. The issue arises when parsing domain names from a DNS response, allowing a crafted response with an inaccurate domain name length to prompt the parser to read beyond the allocated DNS response buffer. While this vulnerability impacts applications that utilize the DNS functionality of the FreeRTOS-Plus-TCP stack, it is important to note that applications not employing DNS features remain unaffected, even if DNS functionality is enabled. A patch addressing this security concern was released in version 4.1.1.

Affected Version(s)

FreeRTOS-Plus-TCP >= 4.0.0, <= 4.1.0

References

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/ad...

x_refsource_CONFIRM

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/ta...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2024
Vulnerability Reserved
Jun 14, 2024

CVE-2024-38373 Data

JSON

Freertos

What is CVE-2024-38373?

Affected Version(s)

References

CVSS V3.1

Timeline