Misues same epoch number within TCP lifetime in TinyDTLS
2024-1-18 04:26:47 Author: seclists.org(查看原文) 阅读量:18 收藏

fulldisclosure logo

Full Disclosure mailing list archives


From: Meng Ruijie <ruijie_meng () u nus edu>
Date: Tue, 16 Jan 2024 14:01:57 +0000

[Suggested description]
An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. DTLS servers allow remote attackers to reuse the 
same epoch number within two times the TCP maximum segment lifetime, which is prohibited in RFC6347. This vulnerability 
allows remote attackers to obtain sensitive application (data of connected clients).

[VulnerabilityType Other]
Improper Handling of exception conditions

[Vendor of Product]
https://github.com/contiki-ng/tinydtls

[Affected Product Code Base]
contiki-ng tinydtls - master branch 53a0d97

[Affected Component]
the service of dtls servers

[Attack Type]
Remote

[Impact Code execution]
true

[Impact Information Disclosure]
true

[Reference]
https://github.com/contiki-ng/tinydtls/issues/25

[Discoverer]
jerrytesting

[CVE Reference]
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2021-42146 to this 
vulnerability.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/


Current thread:

  • Misues same epoch number within TCP lifetime in TinyDTLS Meng Ruijie (Jan 17)

文章来源: https://seclists.org/fulldisclosure/2024/Jan/19
如有侵权请联系:admin#unsafe.sh