CVE-2021-42141 – This vulnerability in Contiki-NG's tinyDTLS imp... (How to Fix)

📋 TL;DR

This vulnerability in Contiki-NG's tinyDTLS implementation allows an attacker to cause denial of service by exploiting inconsistent epoch numbers during DTLS handshakes. It affects systems using Contiki-NG with tinyDTLS for secure IoT communications. The high CVSS score indicates critical impact potential.

💻 Affected Systems

Products:

Contiki-NG with tinyDTLS

Versions: Through 2018-08-30

Operating Systems: Contiki-NG OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using DTLS for secure communication in IoT/embedded environments

📦 What is this software?

Tinydtls by Contiki Ng

View all CVEs affecting Tinydtls →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of IoT devices using DTLS for secure communication, potentially affecting critical infrastructure or industrial control systems.

🟠

Likely Case

Targeted DoS attacks against vulnerable IoT devices, causing service interruptions and potential data loss in constrained environments.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though vulnerable devices remain at risk of disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in security advisories, making exploitation straightforward for attackers

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2018-08-30

Vendor Advisory: https://github.com/contiki-ng/tinydtls/issues/27

Restart Required: Yes

Instructions:

1. Update Contiki-NG to latest version
2. Rebuild and redeploy affected firmware
3. Verify tinyDTLS version is post-2018-08-30

🔧 Temporary Workarounds

Network Segmentation

all

Isolate vulnerable IoT devices from untrusted networks

DTLS Session Monitoring

all

Monitor for abnormal DTLS handshake patterns

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Deploy intrusion detection systems to monitor for DTLS handshake anomalies

🔍 How to Verify

Check if Vulnerable:

Check Contiki-NG version and tinyDTLS commit date; if using tinyDTLS from 2018-08-30 or earlier, vulnerable

Check Version:

Check Contiki-NG build configuration and tinyDTLS source commit history

Verify Fix Applied:

Verify Contiki-NG version is updated and tinyDTLS commit is post-2018-08-30

📡 Detection & Monitoring

Log Indicators:

Multiple failed DTLS handshakes
Abnormal session termination

Network Indicators:

Unusual DTLS packet sequences
Repeated handshake attempts with inconsistent epoch numbers

SIEM Query:

dtls.handshake.failure OR dtls.session.abnormal

📊 Metadata

CVE ID: CVE-2021-42141

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-755

Published: January 22, 2024

Last Updated: June 20, 2025

🔗 References

http://packetstormsecurity.com/files/176625/Contiki-NG-tinyDTLS-Denial-Of-Service.html Third Party Advisory,VDB Entry
https://github.com/contiki-ng/tinydtls/issues/27 Patch
https://seclists.org/fulldisclosure/2024/Jan/14 Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/176625/Contiki-NG-tinyDTLS-Denial-Of-Service.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2024/Jan/14
https://github.com/contiki-ng/tinydtls/issues/27 Patch
https://seclists.org/fulldisclosure/2024/Jan/14 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42141, you might also want to check these: