Contiki-NG Operating System Vulnerability Allows Remote Code Execution

CVECVE-2023-31129
CVSScvssV3_1: 7.5
SourceCVE-2023-31129

The Contiki-NG operating system, which is used in IoT devices, contains a vulnerability that can allow remote code execution.

Contiki-NG has an implementation of IPv6 Neighbor Discovery that handles Router Solicitation messages. However, it fails to validate the source address included in these messages before using it. An attacker can craft a malicious message that causes a NULL pointer to be dereferenced, resulting in a crash or potential code execution.

This issue affects Contiki-NG versions 4.8 and below. A remote attacker on the local network could exploit this by sending a specially crafted Router Solicitation packet. This would allow them to execute arbitrary code or install malware on vulnerable devices.

Contiki-NG has released version 4.9 which fixes this issue. Users are recommended to upgrade to the latest version as soon as possible to protect their devices from remote exploitation over the network. Alternatively, an interim patch is available that can be applied to fix the vulnerability in older versions.

It is important for Internet of Things device owners using Contiki-NG to update their systems to prevent hackers from gaining unauthorized access and control over their devices from remote locations on the network.

References