CVE-2024-41125 Overview
CVE-2024-41125 is an out-of-bounds read vulnerability in Contiki-NG, an open-source operating system for resource-constrained Internet of Things (IoT) devices. The flaw resides in the Simple Network Management Protocol (SNMP) module, specifically in os/net/app-layer/snmp/snmp-ber.c. The function snmp_ber_decode_string_len_buffer reads one byte from a received SNMP packet without verifying that the buffer contains another byte, enabling a 1-byte out-of-bounds read [CWE-125]. An attacker on an adjacent network can trigger the condition by sending a crafted SNMP packet to a device running Contiki-NG with SNMP enabled. The SNMP module is disabled in the default Contiki-NG configuration.
Critical Impact
An adjacent-network attacker can send a crafted SNMP packet to a Contiki-NG device with SNMP enabled, triggering an out-of-bounds read with high confidentiality, integrity, and availability impact.
Affected Products
- Contiki-NG operating system (all versions prior to the fix in pull request #2936)
- IoT devices running Contiki-NG with the SNMP module enabled
- Deployments using os/net/app-layer/snmp/snmp-ber.c for SNMP packet decoding
Discovery Timeline
- 2024-11-27 - CVE-2024-41125 published to the National Vulnerability Database (NVD)
- 2025-04-10 - Last updated in NVD database
Technical Details for CVE-2024-41125
Vulnerability Analysis
The vulnerability is an out-of-bounds read [CWE-125] in the Basic Encoding Rules (BER) decoder used by the Contiki-NG SNMP implementation. SNMP encodes data using BER, which represents variable-length fields with a length prefix followed by the field contents. The Contiki-NG decoder reads the length byte of a string field from an attacker-controlled packet. The function snmp_ber_decode_string_len_buffer then accesses an additional byte from the input buffer without confirming that another byte is available. When a malformed or truncated SNMP packet is received, the decoder reads one byte past the end of the receive buffer.
While the magnitude of the read is small, the consequences on a constrained IoT device can be severe. Adjacent memory contents may influence subsequent SNMP processing logic, and on embedded targets a read past a buffer boundary can map to memory-mapped peripherals or unmapped regions, causing inconsistent behavior or faults.
Root Cause
The root cause is missing input validation in BER length decoding. The function decrements or advances the buffer pointer to read a length descriptor but omits a bounds check against the remaining buffer size before dereferencing the next byte. Any attacker controlling the SNMP payload can craft a packet whose length encoding terminates at the buffer boundary, forcing the read past the end.
Attack Vector
Exploitation requires network reachability to a Contiki-NG device on an adjacent network segment with the SNMP module compiled in and enabled. No authentication or user interaction is required. The attacker sends a single malformed SNMP packet whose BER-encoded string field has a length descriptor positioned at the final byte of the packet. When the decoder processes the descriptor, it reads one byte beyond the buffer, producing the out-of-bounds access. Refer to the GitHub Security Advisory GHSA-qjj3-gqx7-438w for further technical context.
Detection Methods for CVE-2024-41125
Indicators of Compromise
- Inbound SNMP packets to Contiki-NG devices containing truncated or malformed BER length fields
- Unexpected restarts, faults, or watchdog events on IoT endpoints running Contiki-NG with SNMP enabled
- SNMP traffic originating from non-management hosts on the local or adjacent network segment
Detection Strategies
- Inspect SNMP packets at the network boundary and validate BER length encoding lengths against declared payload size
- Audit Contiki-NG firmware build configurations to identify deployments where the SNMP module is compiled in
- Correlate device crash telemetry with SNMP packet arrival timestamps from adjacent network sensors
Monitoring Recommendations
- Enable SNMP traffic logging on gateways and management hosts adjacent to Contiki-NG nodes
- Alert on SNMP packets with abnormally small payload sizes or invalid BER length descriptors
- Track firmware versions across the IoT fleet to confirm patch status against pull request #2936
How to Mitigate CVE-2024-41125
Immediate Actions Required
- Apply the patch from Contiki-NG pull request #2936 manually to affected firmware builds
- Disable the SNMP module in the Contiki-NG build configuration for devices that do not require SNMP
- Restrict SNMP traffic to authorized management hosts using network segmentation and ACLs
- Inventory all IoT devices running Contiki-NG and identify those built with SNMP enabled
Patch Information
The fix is included in Contiki-NG pull request #2936 and will ship in the next release of Contiki-NG. Users are advised to apply the patch manually to the snmp_ber_decode_string_len_buffer function in os/net/app-layer/snmp/snmp-ber.c or to wait for the upstream release. See the GitHub Pull Request for Contiki-NG for the patch source.
Workarounds
- Disable the SNMP module in the Contiki-NG build configuration by removing SNMP entries from the project Makefile
- Block inbound SNMP (UDP ports 161 and 162) to Contiki-NG devices at upstream gateways
- Place Contiki-NG nodes on isolated network segments accessible only by trusted management infrastructure
# Disable the SNMP module in the Contiki-NG project Makefile
# Remove or comment out the SNMP module inclusion, for example:
# MODULES += os/net/app-layer/snmp
# Then rebuild the firmware
make distclean
make TARGET=<your-target>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
