Login Sign Up

CVE-2021-28362

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Contiki OS allows attackers to send specially crafted IPv6 packets with invalid extension headers, causing integer underflow and memory corruption. This leads to denial-of-service conditions by crashing affected devices. It affects all Contiki-based IoT devices and embedded systems using IPv6 networking.

💻 Affected Systems

Products:
  • Contiki OS
Versions: All versions through 3.0
Operating Systems: Contiki OS (embedded/IoT)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with IPv6 enabled. Many IoT devices use Contiki as their embedded OS.

📦 What is this software?

Contiki by Contiki Os

View all CVEs affecting Contiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash requiring physical reset, potentially leading to permanent device failure in resource-constrained IoT devices.

🟠

Likely Case

Denial-of-service through system crash or reboot, disrupting device functionality until manual intervention.

🟢

If Mitigated

No impact if IPv6 is disabled or proper network filtering blocks malicious packets.

🌐 Internet-Facing: HIGH - Devices exposed to IPv6 networks can be remotely attacked without authentication.
🏢 Internal Only: MEDIUM - Requires attacker access to internal network, but still exploitable without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted IPv6 packets. Public details available in CERT advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contiki 3.x with security patches

Vendor Advisory: https://github.com/contiki-os/contiki/releases

Restart Required: Yes

Instructions:

1. Update Contiki OS to patched version. 2. Recompile and redeploy firmware to affected devices. 3. Verify IPv6 packet handling functions in rpl-ext-header.c are updated.

🔧 Temporary Workarounds

Disable IPv6

all

Disable IPv6 networking if not required for device functionality

# Configure network settings to use IPv4 only
# Disable IPv6 in Contiki configuration

Network Filtering

linux

Block or filter IPv6 packets with extension headers at network perimeter

# Example iptables rule: iptables -A INPUT -p ipv6 --dport any -j DROP
# Configure firewall to restrict IPv6 traffic

🧯 If You Can't Patch

  • Segment affected devices on isolated network segments
  • Implement strict network ACLs to limit IPv6 traffic to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check Contiki version and verify if IPv6 is enabled. Review rpl-ext-header.c source code for integer underflow checks.

Check Version:

# Check Contiki version in source code or device firmware

Verify Fix Applied:

Verify Contiki version is patched and test with crafted IPv6 packets to ensure no crash occurs.

📡 Detection & Monitoring

Log Indicators:

  • System crash logs
  • Kernel panic messages
  • IPv6 packet processing errors

Network Indicators:

  • Unusual IPv6 packets with malformed extension headers
  • Spike in ICMPv6 error messages

SIEM Query:

source="network" proto="ipv6" (header_length < payload_length OR extension_header malformed)

📊 Metadata

CVE ID: CVE-2021-28362
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-191
Published: March 24, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28362, you might also want to check these:

CVE-2025-29909 9.8

A heap buffer overflow vulnerability in CryptoLib's Crypto_TC_ApplySecurity() function allows attack...

Same vulnerability type (CWE-191)
CVE-2020-3691 9.8

This vulnerability allows integer underflow in Qualcomm Snapdragon audio processing, potentially lea...

Same vulnerability type (CWE-191)
CVE-2023-21708 9.8

This is a critical Remote Procedure Call Runtime vulnerability that allows unauthenticated attackers...

Same vulnerability type (CWE-191)