CVE-2018-19417

moderate-risk
Published 2018-11-21

An issue was discovered in the MQTT server in Contiki-NG before 4.2. The function parse_publish_vhdr() that parses MQTT PUBLISH messages with a variable length header uses memcpy to input data into a fixed size buffer. The allocated buffer can fit only MQTT_MAX_TOPIC_LENGTH (default 64) bytes, and a length check is missing. This could lead to Remote Code Execution via a stack-smashing attack (overwriting the function return address). Contiki-NG does not separate the MQTT server from other servers and the OS modules, so access to all memory regions is possible.

Do I need to act?

~
6.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 7b076e4af14b2259596f6d3765105d0593ae5257
10
CVSS 10.0/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Contiki-Ng

References (2)

Exploit https://github.com/contiki-ng/contiki-ng/issues/600
Exploit https://github.com/contiki-ng/contiki-ng/issues/600
47
/ 100
moderate-risk
Severity 33/34 · Critical
Exploitability 9/34 · Low
Exposure 5/34 · Minimal