CVE-2020-14935 Information

Description

Buffer overflows were discovered in Contiki-NG 4.4 through 4.5 in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message’s requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer including the return address from the function. As a result the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory it may also be possible to supply code in the SNMP request payload and redirect the execution path to the remotely injected code by modifying the function’s return address.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing https://github.com/contiki-ng/contiki-ng/issues/1353

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8