=====================================================================

                                  CERT-Renater

                      Note d'Information No. 2022/VULN477

_____________________________________________________________________

DATE                : 20/12/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Contiki-NG versions prior to 4.9.

=====================================================================
https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-24xp-g5gf-6vvm
_____________________________________________________________________


Invalid memory access in the BLE L2CAP module
Moderate
nvt published GHSA-24xp-g5gf-6vvm

Package
ble-l2cap

Affected versions
<= 4.8

Patched versions
None


Description

Impact

The Contiki-NG operating system for IoT devices contains a Bluetooth
Low Energy stack. An attacker can inject a packet in this stack, which
causes the implementation to dereference a NULL pointer and triggers
undefined behavior.

More specifically, while processing the L2CAP protocol, the
implementation maps an incoming channel ID to its metadata structure.
In this structure, state information regarding credits is managed
through calls to the function
input_l2cap_credit in the module os/net/mac/ble/ble-l2cap.c.
Unfortunately, the input_l2cap_credit function does not check that the
metadata corresponding to the user-supplied channel ID actually exists,
which can lead to the channel variable being set to NULL before a pointer
dereferencing operation is performed.


Patches

The vulnerability has been patched in the "develop" branch of Contiki-NG,
and will be included in release 4.9.


Workarounds

Users can apply the patch in Contiki-NG pull request #2253
For more information

If you have any questions or comments about this advisory:

     Open an issue in https://github.com/contiki-ng/contiki-ng
     Email us at security@contiki-ng.org


Severity
Moderate

CVE ID
CVE-2022-41972

Weaknesses
CWE-476


Credits

     @Scepticz Scepticz
     @SWW13 SWW13
     @Diff-fusion Diff-fusion


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================