CVE-2023-37459

Summary

CVE-2023-37459 is a vulnerability affecting Contiki-NG, an operating system used in internet-of-things devices. In versions 4.9 and earlier, the network stack attempts to start the periodic TCP timer upon receiving a TCP packet with the SYN flag set. However, the implementation fails to ensure that a complete TCP header has been received before accessing the flags field. Consequently, an attacker can exploit this vulnerability by injecting a truncated TCP packet, triggering an out-of-bound read from the packet buffer. As of now, a patched version of Contiki-NG is unavailable. A potential workaround involves implementing the changes proposed in Contiki-NG pull request #2510.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.