Contiki-NG IoT OS Patches Critical Vulnerabilities
Researchers have identified and addressed three critical vulnerabilities in Contiki-NG, a popular open-source operating system for Internet of Things (IoT) devices. These vulnerabilities could allow attackers to crash devices or potentially execute malicious code.
Contiki-NG is designed for low-power devices with constrained resources, making it a common choice for applications like industrial control systems, smart homes, and wearables. The discovered vulnerabilities affect versions of Contiki-NG up to and including 4.9.
The vulnerabilities include:
- CVE-2024-41125 (CVSS 8.4): An out-of-bounds read vulnerability in the Simple Network Management Protocol (SNMP) module. “An out-of-bounds read of 1 byte can be triggered when sending a packet to a device running the Contiki-NG operating system with SNMP enabled,” the advisory explains. This flaw could allow an attacker to read sensitive information from memory.
- CVE-2024-47181 (CVSS 7.5): An unaligned memory access vulnerability in the Routing Protocol for Low-Power and Lossy Networks (RPL) implementation. “If an IPv6 packet containing an odd number of padded bytes before the RPL option, it can cause the rpl_ext_header_hbh_update function to read a 16-bit integer from an odd address,” states the advisory. This vulnerability could lead to system crashes.
- CVE-2024-41126 (CVSS 8.4): Another out-of-bounds read vulnerability in the SNMP module. This vulnerability occurs when decoding a message and “can be triggered when sending a packet to a device running the Contiki-NG operating system with SNMP enabled.” Similar to CVE-2024-41125, this flaw could allow attackers to extract sensitive data.
While the SNMP module is disabled by default in Contiki-NG, developers who have enabled it are strongly urged to update their systems. Patches for CVE-2024-41125 and CVE-2024-41126 are available in Contiki-NG pull requests #2936 and #2937 respectively.
A patch for CVE-2024-47181 is available in pull request #2962 and will be included in the next Contiki-NG release. In the meantime, developers can manually apply the patch to mitigate this vulnerability.
As IoT devices become increasingly prevalent, it is crucial for developers and users to prioritize security best practices and promptly apply updates to mitigate potential threats.
