Contiki-NG OS Vulnerability: Out-of-Bounds Read in SNMP Module
CVE-2024-41126

9.6CRITICAL

Key Information:

Vendor: Contiki-ng
Status: Contiki-ng
Vendor: CVE Published:; 27 November 2024

What is CVE-2024-41126?

An out-of-bounds read vulnerability affects the Contiki-NG operating system, which is used in various IoT devices. It can be triggered when sending a packet to a device where the SNMP module is enabled. The issue lies in the snmp_message_decode function located in the os/net/app-layer/snmp/snmp-message.c file, which incorrectly handles buffer boundaries while reading a single byte after decoding an object identifier (OID). Although the SNMP module is disabled by default in Contiki-NG configurations, users who require its functionality should be aware of this vulnerability and can apply the patch provided in pull request 2937 on GitHub to secure their installations. As an additional safeguard, users are encouraged to disable the SNMP module until the next release that includes this fix.

Affected Version(s)

contiki-ng <= 4.9

References

https://github.com/contiki-ng/contiki-ng/security/advisor...

x_refsource_CONFIRM

https://github.com/contiki-ng/contiki-ng/pull/2937

x_refsource_MISC

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 27, 2024
Vulnerability Reserved
Jul 15, 2024

Contiki-ng

What is CVE-2024-41126?

Affected Version(s)

References

CVSS V3.1

Timeline