Skip to content

Packet Type Confusion during IPHC send

Critical
chrysn published GHSA-jwmv-47p2-hgq2 Apr 24, 2023

Package

RIOT-OS

Affected versions

< 2022.10

Patched versions

2022.10

Description

Impact

RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device resulting in a type confusion between IPv6 extension headers and a UDP header. This occures while encoding a 6LoWPAN IPHC header. The type confusion manifests in an out of bounds write in the packet buffer. The overflow can be used to corrupt other packets and the allocator metadata. Corrupting a pointer will easily lead to denial of service. While carefully manipulating the allocator metadata gives an attacker the possibility to write data to arbitrary locations and thus execute arbitrary code.

Patches

Workarounds

  • Backport the patches listed above

For more information

If you have any questions or comments about this advisory:

Bug Details

During calculation of the size for the IPHC snippet the first snippet of type GNRC_NETTYPE_UNDEF is assumed to be the UDP header and only the required 8 bytes are added to the size.
But during forwarding this snippet can also contain the IPv6 extension headers which may be much larger (source)

if (ptr->type == GNRC_NETTYPE_UNDEF) {
    /* most likely UDP for now so use that (XXX: extend if extension
     * headers make problems) */
    dispatch_size += sizeof(udp_hdr_t);
    break;  /* nothing special after UDP so quit even if more UNDEF
             * come */
}
else {
    dispatch_size += ptr->size;
}
...
dispatch = gnrc_pktbuf_add(NULL, NULL, dispatch_size + 1,
                           GNRC_NETTYPE_SIXLOWPAN);

While compressing the headers the type is only taken from the next header field of the IPv6 header/extension header and not from the snippet type (source):

    nh = ((ipv6_hdr_t *)pkt->next->data)->nh;
#ifdef MODULE_GNRC_SIXLOWPAN_IPHC_NHC
    while (_compressible_nh(nh)) {
        ssize_t local_pos = 0;
        switch (nh) {
            case PROTNUM_UDP:
                ...
            case PROTNUM_IPV6: {    /* encapsulated IPv6 header */
                ...
            case PROTNUM_IPV6_EXT_HOPOPT:
            case PROTNUM_IPV6_EXT_RH:
            case PROTNUM_IPV6_EXT_FRAG:
            case PROTNUM_IPV6_EXT_DST:
            case PROTNUM_IPV6_EXT_MOB:
                ...

The compressed headers can be larger than the allocated space and thus overflow the allocated packet buffer.

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-24823

Weaknesses

Credits