Login Sign Up

CVE-2021-42143

9.1 CRITICAL
Denial of Service

📋 TL;DR

This vulnerability in Contiki-NG tinyDTLS allows remote attackers to cause denial of service and potentially leak sensitive information by sending a malformed ClientHello handshake message. The infinite loop consumes all resources, while the buffer over-read can disclose memory contents. Systems using affected versions of Contiki-NG with tinyDTLS enabled are vulnerable.

💻 Affected Systems

Products:
  • Contiki-NG
Versions: tinyDTLS through master branch 53a0d97
Operating Systems: All platforms running Contiki-NG
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with tinyDTLS enabled. Contiki-NG is commonly used in IoT/embedded devices.

📦 What is this software?

Tinydtls by Contiki Ng

View all CVEs affecting Tinydtls →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system resource exhaustion leading to denial of service, plus potential disclosure of sensitive memory contents including cryptographic keys or other secrets.

🟠

Likely Case

Denial of service through resource exhaustion, potentially disrupting IoT/embedded device functionality.

🟢

If Mitigated

Limited impact if network controls prevent malicious traffic or if the vulnerable component is not exposed.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires sending a specially crafted ClientHello message with odd-length cipher suites. Exploitation is straightforward once the malformed packet is constructed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 53a0d97

Vendor Advisory: https://github.com/contiki-ng/contiki-ng/security/advisories

Restart Required: Yes

Instructions:

1. Update Contiki-NG to latest version. 2. Rebuild and redeploy affected firmware. 3. Restart devices/services using the updated firmware.

🔧 Temporary Workarounds

Disable tinyDTLS

all

If DTLS functionality is not required, disable tinyDTLS in Contiki-NG configuration

Modify project configuration to set DTLS=0 or similar

Network filtering

linux

Block or filter DTLS traffic to vulnerable devices

iptables -A INPUT -p udp --dport 5684 -j DROP
Configure firewall to block UDP port 5684 (CoAPs default)

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable devices
  • Deploy intrusion prevention systems to detect and block malformed DTLS packets

🔍 How to Verify

Check if Vulnerable:

Check Contiki-NG version and tinyDTLS configuration. If using tinyDTLS and version is before fix commit 53a0d97, system is vulnerable.

Check Version:

Check Contiki-NG git commit hash or version in source/build configuration

Verify Fix Applied:

Verify Contiki-NG version is updated beyond commit 53a0d97 and test DTLS handshake functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual resource consumption
  • DTLS handshake failures
  • System crashes or hangs

Network Indicators:

  • Malformed DTLS ClientHello packets with odd-length cipher suites
  • Unusual UDP traffic to DTLS ports

SIEM Query:

source="network" AND (protocol="DTLS" OR port=5684) AND packet_size_odd=true

📊 Metadata

CVE ID: CVE-2021-42143
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-835
Published: January 24, 2024
Last Updated: June 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42143, you might also want to check these:

CVE-2026-25533 8.8

This vulnerability allows attackers to bypass multiple security layers in Enclave, a JavaScript sand...

Same vulnerability type (CWE-835)
CVE-2023-20083 8.6

A vulnerability in Cisco Firepower Threat Defense (FTD) Software's ICMPv6 inspection with Snort 2 al...

Same vulnerability type (CWE-835)
CVE-2025-20136 8.6

This vulnerability allows unauthenticated remote attackers to cause Cisco ASA and FTD firewalls to c...

Same vulnerability type (CWE-835)