FreeRTOS-Plus-TCP Integer Underflow Vulnerability in DHCPv6 Sub-Option Parser Allowing Address Corruption and Denial-of-Service

An integer underflow vulnerability has been identified in the DHCPv6 sub-option parser of FreeRTOS-Plus-TCP versions 4.0.0 through 4.2.5 and 4.3.0 through 4.4.0. This vulnerability allows an adjacent network actor to corrupt the device's IPv6 address assignment, DNS configuration, and lease times. Additionally, it can cause a denial-of-service condition by permanently freezing the IP task, requiring a hardware reset. The issue arises whenever DHCPv6 is enabled, as a single crafted DHCPv6 packet can trigger the problem.

Impact

Exploitation of this vulnerability can lead to unauthorized modification of IPv6 address assignments, DNS settings, and lease durations, coupled with a permanent freeze of the IP task that necessitates a hardware reset.

Remediation

Users are advised to upgrade to FreeRTOS-Plus-TCP version 4.4.1 or 4.2.6. For those unable to upgrade immediately, DHCPv6 can be disabled by setting ipconfigUSE_DHCPv6 to 0 in the FreeRTOSIPConfig.h configuration file, although this will require manual IPv6 address configuration.