CVE-2024-38373

Published: Jun 24, 2024Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

FreeRTOS-Plus-TCP is a lightweight TCP/IP stack for FreeRTOS. FreeRTOS-Plus-TCP versions 4.0.0 through 4.1.0 contain a buffer over-read issue in the DNS Response Parser when parsing domain names in a DNS response. A carefully crafted DNS response with domain name length value greater than the actual domain name length, could cause the parser to read beyond the DNS response buffer. This issue affects applications using DNS functionality of the FreeRTOS-Plus-TCP stack. Applications that do not use DNS functionality are not affected, even when the DNS functionality is enabled. This vulnerability has been patched in version 4.1.1.

Affected (1)

Products: Amazon: Freertos Plus Tcp

1 product

Freertos Plus Tcp

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Amazon Freertos Plus Tcp	From 4.0.0 to 4.1.1

Related CWEs

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

Buffer Over-read

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

References (4)

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.1.1

Source: security-advisories@github.com

Release Notes

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-ppcp-rg65-58mv

Source: security-advisories@github.com

Vendor Advisory

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.1.1

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-ppcp-rg65-58mv

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.