| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <SEYPR06MB666358AE6F8C7902FA04D7A2C5732@SEYPR06MB6663.apcprd06.prod.outlook.com> Date: Tue, 16 Jan 2024 14:01:57 +0000 From: Meng Ruijie <ruijie_meng@...us.edu> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Misues same epoch number within TCP lifetime in TinyDTLS [Suggested description] An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. DTLS servers allow remote attackers to reuse the same epoch number within two times the TCP maximum segment lifetime, which is prohibited in RFC6347. This vulnerability allows remote attackers to obtain sensitive application (data of connected clients). [VulnerabilityType Other] Improper Handling of exception conditions [Vendor of Product] https://github.com/contiki-ng/tinydtls [Affected Product Code Base] contiki-ng tinydtls - master branch 53a0d97 [Affected Component] the service of dtls servers [Attack Type] Remote [Impact Code execution] true [Impact Information Disclosure] true [Reference] https://github.com/contiki-ng/tinydtls/issues/25 [Discoverer] jerrytesting [CVE Reference] The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2021-42146 to this vulnerability. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists