CVE-2021-42142 – This vulnerability in Contiki-NG tinyDTLS allow... (How to Fix)

Q: What is the severity of CVE-2021-42142?

CVE-2021-42142 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Contiki-NG tinyDTLS allows remote attackers to cause denial of service and false-positive packet drops by sending DTLS packets with large epoch numbers early in the connection. It affects DTLS servers using vulnerable versions of tinyDTLS, potentially disrupting secure communication channels.

📋 TL;DR

This vulnerability in Contiki-NG tinyDTLS allows remote attackers to cause denial of service and false-positive packet drops by sending DTLS packets with large epoch numbers early in the connection. It affects DTLS servers using vulnerable versions of tinyDTLS, potentially disrupting secure communication channels.

💻 Affected Systems

Products:

Contiki-NG tinyDTLS

Versions: Through master branch commit 53a0d97

Operating Systems: Any OS running Contiki-NG with tinyDTLS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects DTLS server implementations using the vulnerable tinyDTLS library.

📦 What is this software?

Tinydtls by Contiki Ng

View all CVEs affecting Tinydtls →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for DTLS services, disrupting secure communications and potentially causing cascading failures in dependent systems.

🟠

Likely Case

Service disruption causing packet drops and connection failures for DTLS-protected communications.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring in place.

🌐 Internet-Facing: HIGH - DTLS servers exposed to the internet are directly vulnerable to remote attacks.

🏢 Internal Only: MEDIUM - Internal DTLS servers could be exploited by compromised internal systems or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is well-documented with public references, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Contiki-NG repository for fixes after commit 53a0d97

Vendor Advisory: https://github.com/contiki-ng/tinydtls/issues/24

Restart Required: Yes

Instructions:

1. Update Contiki-NG tinyDTLS to latest version. 2. Recompile affected applications. 3. Restart DTLS services.

🔧 Temporary Workarounds

Network filtering

all

Filter or rate-limit DTLS traffic with large epoch numbers at network perimeter

🧯 If You Can't Patch

Implement network segmentation to isolate DTLS servers
Deploy intrusion detection systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Contiki-NG tinyDTLS version against commit 53a0d97 or earlier

Check Version:

Check git log or version information in Contiki-NG tinyDTLS source

Verify Fix Applied:

Verify tinyDTLS is updated beyond commit 53a0d97 and test DTLS functionality

📡 Detection & Monitoring

Log Indicators:

Unusual DTLS connection failures
Increased packet drop rates in DTLS logs

Network Indicators:

DTLS packets with abnormally large epoch numbers
Sudden drops in DTLS traffic

SIEM Query:

Search for DTLS protocol anomalies or connection resets from single sources

📊 Metadata

CVE ID: CVE-2021-42142

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-755

Published: January 23, 2024

Last Updated: June 11, 2025

🔗 References

https://github.com/contiki-ng/tinydtls/issues/24 Issue Tracking,Patch
https://seclists.org/fulldisclosure/2024/Jan/15 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/15
https://github.com/contiki-ng/tinydtls/issues/24 Issue Tracking,Patch
https://seclists.org/fulldisclosure/2024/Jan/15 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42142, you might also want to check these: