Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-35927
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Unverified DIO prefix info lengths in RPL-Classic in Contiki-NG
Source: NVD (National Vulnerability Database)
Vulnerability Description
Contiki-NG is an open-source, cross-platform operating system for IoT devices. In the RPL-Classic routing protocol implementation in the Contiki-NG operating system, an incoming DODAG Information Option (DIO) control message can contain a prefix information option with a length parameter. The value of the length parameter is not validated, however, and it is possible to cause a buffer overflow when copying the prefix in the set_ip_from_prefix function. This vulnerability affects anyone running a Contiki-NG version prior to 4.7 that can receive RPL DIO messages from external parties. To obtain a patched version, users should upgrade to Contiki-NG 4.7 or later. There are no workarounds for this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未进行输入大小检查的缓冲区拷贝(传统缓冲区溢出)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Contiki-NG 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Contiki-NG是一套用于下一代IoT(物联网)设备的开源跨平台操作系统。 Contiki-NG 4.7之前版本存在安全漏洞,该漏洞源于在 Contiki-NG 操作系统中的 RPL-Classic 路由协议实现中,传入的 DODAG 信息选项 (DIO)控制消息的长度参数的值未经过验证,攻击者利用该漏洞可以导致缓冲区溢出。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
contiki-ngcontiki-ng < 4.7 -
II. Public POCs for CVE-2022-35927
#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2022-35927
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: contiki-ng
Same vendor: contiki-ng
Same weakness: CWE-120
V. Comments for CVE-2022-35927

No comments yet

Leave a comment