CRITICAL🇵🇱 Wersja polska

CVE-2024-32017

CVSS 9.8v3.1pub. 2024-05-01upd. 2025-09-04

RIOT is a real-time multi-threading operating system that supports a range of devices that are typically 8-bit, 16-bit and 32-bit microcontrollers. The size check in the `gcoap_dns_server_proxy_get()` function contains a small typo that may lead to a buffer overflow in the subsequent `strcpy()`. In detail, the length of the `_uri` string is checked instead of the length of the `_proxy` string. The `_gcoap_forward_proxy_copy_options()` function does not implement an explicit size check before copying data to the `cep->req_etag` buffer that is `COAP_ETAG_LENGTH_MAX` bytes long. If an attacker can craft input so that `optlen` becomes larger than `COAP_ETAG_LENGTH_MAX`, they can cause a buffer overflow. If the input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution. This issue has yet to be patched. Users are advised to add manual bounds checking.

🤖 AI Analysis
How it works

The first vulnerability results from a typographical error in the `gcoap_dns_server_proxy_get()` function: the length of the `_uri` string is checked instead of the `_proxy` string, leading to buffer overflow during the subsequent `strcpy()` call. The second vulnerability affects the `_gcoap_forward_proxy_copy_options()` function, which does not verify the data size before copying it to the `cep->req_etag` buffer of fixed length `COAP_ETAG_LENGTH_MAX` bytes — if an attacker causes the `optlen` value to exceed this limit, a buffer overflow occurs (CWE-120). Both vulnerabilities can be triggered remotely through crafted input data exceeding the security boundary.

Impact

An attacker can cause denial of service (DoS) or execute arbitrary code (RCE) on a device running a vulnerable version of RIOT OS, potentially gaining full control over the embedded system.

Mitigation & patch

At the time of publication, the vulnerability has not been patched by the vendor (no patch available). Manual addition of buffer bounds verification in the functions `gcoap_dns_server_proxy_get()` and `_gcoap_forward_proxy_copy_options()` is recommended. It is advisable to monitor the RIOT-OS repository and vendor advisory for the release of an official patch.

Who is affected

RIOT OS (Riot-Os RIOT) — all versions containing vulnerable code in files `sys/net/application_layer/gcoap/dns.c` and `sys/net/application_layer/gcoap/forward_proxy.c`; specific versions listed in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Riot Os Riot

    OS
    Riot-Os
    ≤ 2024.01
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDoSMemory
CWE
References

Related vulnerabilities

CVE-2023-33975CRITICAL9.8ten sam produkt

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability t...

CVE-2023-24819CRITICAL9.8ten sam produkt

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the abili...

CVE-2023-24823CRITICAL9.8ten sam produkt

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the abili...

CVE-2021-27357CRITICAL9.8ten sam produkt

RIOT-OS 2020.01 contains a buffer overflow vulnerability in /sys/net/gnrc/routing/rpl/gnrc_rpl_control_message...

CVE-2021-27697CRITICAL9.8ten sam produkt

RIOT-OS 2021.01 contains a buffer overflow vulnerability in sys/net/gnrc/routing/rpl/gnrc_rpl_validation.c thr...