Strix
26.1K

CVE-2023-24819

CRITICALCVSS 9.8/10EPSS 0.98%

Last modified

CVE-2023-24819 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2022.10, an attacker can send a crafted frame to the device resulting in an out of bounds write in the packet buffer. EPSS estimates a 0.98% chance of exploitation in the next 30 days.

Description

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2022.10, an attacker can send a crafted frame to the device resulting in an out of bounds write in the packet buffer. The overflow can be used to corrupt other packets and the allocator metadata. Corrupting a pointer will easily lead to denial of service. While carefully manipulating the allocator metadata gives an attacker the possibility to write data to arbitrary locations and thus execute arbitrary code. Version 2022.10 fixes this issue. As a workaround, disable support for fragmented IP datagrams or apply the patches manually.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.98%

57.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Riot-OsRiot< 2022.10

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-24819?
RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2022.10, an attacker can send a crafted frame to the device resulting in an out of bounds write in the packet buffer. The overflow can be used to corrupt other packets and the allocator metadata. Corrupting a pointer will easily lead to denial of service. While carefully manipulating the allocator metadata gives an attacker the possibility to write data to arbitrary locations and thus execute arbitrary code. Version 2022.10 fixes this issue. As a workaround, disable support for fragmented IP datagrams or apply the patches manually.
How severe is CVE-2023-24819?
CVE-2023-24819 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.98% probability of exploitation in the next 30 days.
How do I fix CVE-2023-24819?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-24819?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST