1187 lines
35 KiB
ReStructuredText
1187 lines
35 KiB
ReStructuredText
.. _vulnerabilities:
|
||
|
||
Vulnerabilities
|
||
###############
|
||
|
||
This page collects all of the vulnerabilities that are discovered and
|
||
fixed in each release. It will also often have more details than is
|
||
available in the releases. Some vulnerabilities are deemed to be
|
||
sensitive, and will not be publicly discussed until there is
|
||
sufficient time to fix them. Because the release notes are locked to
|
||
a version, the information here can be updated after the embargo is
|
||
lifted.
|
||
|
||
CVE-2017
|
||
========
|
||
|
||
CVE-2017-14199
|
||
--------------
|
||
|
||
Buffer overflow in :code:`getaddrinfo()`.
|
||
|
||
- `CVE-2017-14199 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14199>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-12
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-12>`_
|
||
|
||
- `PR6158 fix for 1.11.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/6158>`_
|
||
|
||
CVE-2017-14201
|
||
--------------
|
||
|
||
The shell DNS command can cause unpredictable results due to misuse of
|
||
stack variables.
|
||
|
||
Use After Free vulnerability in the Zephyr shell allows a serial or
|
||
telnet connected user to cause denial of service, and possibly remote
|
||
code execution.
|
||
|
||
This has been fixed in release v1.14.0.
|
||
|
||
- `CVE-2017-14201 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14201>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-17
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-17>`_
|
||
|
||
- `PR13260 fix for v1.14.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/13260>`_
|
||
|
||
CVE-2017-14202
|
||
--------------
|
||
|
||
The shell implementation does not protect against buffer overruns
|
||
resulting in unpredictable behavior.
|
||
|
||
Improper Restriction of Operations within the Bounds of a Memory
|
||
Buffer vulnerability in the shell component of Zephyr allows a serial
|
||
or telnet connected user to cause a crash, possibly with arbitrary
|
||
code execution.
|
||
|
||
This has been fixed in release v1.14.0.
|
||
|
||
- `CVE-2017-14202 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14202>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-18
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-18>`_
|
||
|
||
- `PR13048 fix for v1.14.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/13048>`_
|
||
|
||
CVE-2019
|
||
========
|
||
|
||
CVE-2019-9506
|
||
-------------
|
||
|
||
The Bluetooth BR/EDR specification up to and including version 5.1
|
||
permits sufficiently low encryption key length and does not prevent an
|
||
attacker from influencing the key length negotiation. This allows
|
||
practical brute-force attacks (aka "KNOB") that can decrypt traffic
|
||
and inject arbitrary ciphertext without the victim noticing.
|
||
|
||
- `CVE-2019-9506 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9506>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-20
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-20>`_
|
||
|
||
- `PR18702 fix for v1.14.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/18702>`_
|
||
|
||
- `PR18659 fix for v2.0.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/18659>`_
|
||
|
||
CVE-2020
|
||
========
|
||
|
||
CVE-2020-10019
|
||
--------------
|
||
|
||
Buffer Overflow vulnerability in USB DFU of zephyr allows a USB
|
||
connected host to cause possible remote code execution.
|
||
|
||
This has been fixed in releases v1.14.2, v2.2.0, and v2.1.1.
|
||
|
||
- `CVE-2020-10019 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10019>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-25
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-25>`_
|
||
|
||
- `PR23460 fix for 1.14.x
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23460>`_
|
||
|
||
- `PR23457 fix for 2.1.x
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23457>`_
|
||
|
||
- `PR23190 fix in 2.2.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23190>`_
|
||
|
||
CVE-2020-10021
|
||
--------------
|
||
|
||
Out-of-bounds write in USB Mass Storage with unaligned sizes
|
||
|
||
Out-of-bounds Write in the USB Mass Storage memoryWrite handler with
|
||
unaligned Sizes.
|
||
|
||
See NCC-ZEP-024, NCC-ZEP-025, NCC-ZEP-026
|
||
|
||
This has been fixed in releases v1.14.2, and v2.2.0.
|
||
|
||
- `CVE-2020-10021 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10021>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-26
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-26>`_
|
||
|
||
- `PR23455 fix for v1.14.2
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23455>`_
|
||
|
||
- `PR23456 fix for the v2.1 branch
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23456>`_
|
||
|
||
- `PR23240 fix for v2.2.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23240>`_
|
||
|
||
CVE-2020-10022
|
||
--------------
|
||
|
||
UpdateHub Module Copies a Variable-Size Hash String Into a Fixed-Size Array
|
||
|
||
A malformed JSON payload that is received from an UpdateHub server may
|
||
trigger memory corruption in the Zephyr OS. This could result in a
|
||
denial of service in the best case, or code execution in the worst
|
||
case.
|
||
|
||
See NCC-ZEP-016
|
||
|
||
This has been fixed in the below pull requests for main, branch from
|
||
v2.1.0, and branch from v2.2.0.
|
||
|
||
- `CVE-2020-10022 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10022>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-28
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-28>`_
|
||
|
||
- `PR24154 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/24154>`_
|
||
|
||
- `PR24065 fix for branch from v2.1.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/24065>`_
|
||
|
||
- `PR24066 fix for branch from v2.2.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/24066>`_
|
||
|
||
CVE-2020-10023
|
||
--------------
|
||
|
||
Shell Subsystem Contains a Buffer Overflow Vulnerability In
|
||
shell_spaces_trim
|
||
|
||
The shell subsystem contains a buffer overflow, whereby an adversary
|
||
with physical access to the device is able to cause a memory
|
||
corruption, resulting in denial of service or possibly code execution
|
||
within the Zephyr kernel.
|
||
|
||
See NCC-ZEP-019
|
||
|
||
This has been fixed in releases v1.14.2, v2.2.0, and in a branch from
|
||
v2.1.0,
|
||
|
||
- `CVE-2020-10023 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10023>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-29
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-29>`_
|
||
|
||
- `PR23646 fix for v1.14.2
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23646>`_
|
||
|
||
- `PR23649 fix for branch from v2.1.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23649>`_
|
||
|
||
- `PR23304 fix for v2.2.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23304>`_
|
||
|
||
CVE-2020-10024
|
||
--------------
|
||
|
||
ARM Platform Uses Signed Integer Comparison When Validating Syscall
|
||
Numbers
|
||
|
||
The arm platform-specific code uses a signed integer comparison when
|
||
validating system call numbers. An attacker who has obtained code
|
||
execution within a user thread is able to elevate privileges to that
|
||
of the kernel.
|
||
|
||
See NCC-ZEP-001
|
||
|
||
This has been fixed in releases v1.14.2, and v2.2.0, and in a branch
|
||
from v2.1.0,
|
||
|
||
- `CVE-2020-10024 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10024>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-30
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-30>`_
|
||
|
||
- `PR23535 fix for v1.14.2
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23535>`_
|
||
|
||
- `PR23498 fix for branch from v2.1.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23498>`_
|
||
|
||
- `PR23323 fix for v2.2.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23323>`_
|
||
|
||
CVE-2020-10027
|
||
--------------
|
||
|
||
ARC Platform Uses Signed Integer Comparison When Validating Syscall
|
||
Numbers
|
||
|
||
An attacker who has obtained code execution within a user thread is
|
||
able to elevate privileges to that of the kernel.
|
||
|
||
See NCC-ZEP-001
|
||
|
||
This has been fixed in releases v1.14.2, and v2.2.0, and in a branch
|
||
from v2.1.0.
|
||
|
||
- `CVE-2020-10027 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10027>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-35
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-35>`_
|
||
|
||
- `PR23500 fix for v1.14.2
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23500>`_
|
||
|
||
- `PR23499 fix for branch from v2.1.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23499>`_
|
||
|
||
- `PR23328 fix for v2.2.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23328>`_
|
||
|
||
CVE-2020-10028
|
||
--------------
|
||
|
||
Multiple Syscalls In GPIO Subsystem Performs No Argument Validation
|
||
|
||
Multiple syscalls with insufficient argument validation
|
||
|
||
See NCC-ZEP-006
|
||
|
||
This has been fixed in releases v1.14.2, and v2.2.0, and in a branch
|
||
from v2.1.0.
|
||
|
||
- `CVE-2020-10028 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10028>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-32
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-32>`_
|
||
|
||
- `PR23733 fix for v1.14.2
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23733>`_
|
||
|
||
- `PR23737 fix for branch from v2.1.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23737>`_
|
||
|
||
- `PR23308 fix for v2.2.0 (gpio patch)
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23308>`_
|
||
|
||
CVE-2020-10058
|
||
--------------
|
||
|
||
Multiple Syscalls In kscan Subsystem Performs No Argument Validation
|
||
|
||
Multiple syscalls in the Kscan subsystem perform insufficient argument
|
||
validation, allowing code executing in userspace to potentially gain
|
||
elevated privileges.
|
||
|
||
See NCC-ZEP-006
|
||
|
||
This has been fixed in a branch from v2.1.0, and release v2.2.0.
|
||
|
||
- `CVE-2020-10058 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10058>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-34
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-34>`_
|
||
|
||
- `PR23748 fix for branch from v2.1.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23748>`_
|
||
|
||
- `PR23308 fix for v2.2.0 (kscan patch)
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23308>`_
|
||
|
||
CVE-2020-10059
|
||
--------------
|
||
|
||
UpdateHub Module Explicitly Disables TLS Verification
|
||
|
||
The UpdateHub module disables DTLS peer checking, which allows for a
|
||
man in the middle attack. This is mitigated by firmware images
|
||
requiring valid signatures. However, there is no benefit to using DTLS
|
||
without the peer checking.
|
||
|
||
See NCC-ZEP-018
|
||
|
||
This has been fixed in a PR against Zephyr main.
|
||
|
||
- `CVE-2020-10059 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10059>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-36
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-36>`_
|
||
|
||
- `PR24954 fix on main (to be fixed in v2.3.0)
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/24954>`_
|
||
|
||
- `PR24954 fix v2.1.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/24999>`_
|
||
|
||
- `PR24954 fix v2.2.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/24997>`_
|
||
|
||
CVE-2020-10060
|
||
--------------
|
||
|
||
UpdateHub Might Dereference An Uninitialized Pointer
|
||
|
||
In updatehub_probe, right after JSON parsing is complete, objects\[1]
|
||
is accessed from the output structure in two different places. If the
|
||
JSON contained less than two elements, this access would reference
|
||
uninitialized stack memory. This could result in a crash, denial of
|
||
service, or possibly an information leak.
|
||
|
||
Recommend disabling updatehub until such a time as a fix can be made
|
||
available.
|
||
|
||
See NCC-ZEP-030
|
||
|
||
This has been fixed in a PR against Zephyr main.
|
||
|
||
- `CVE-2020-10060 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10060>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-37
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-37>`_
|
||
|
||
- `PR27865 fix on main (to be fixed in v2.4.0)
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/27865>`_
|
||
|
||
- `PR27865 fix for v2.3.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/27889>`_
|
||
|
||
- `PR27865 fix for v2.2.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/27891>`_
|
||
|
||
- `PR27865 fix for v2.1.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/27893>`_
|
||
|
||
CVE-2020-10061
|
||
--------------
|
||
|
||
Error handling invalid packet sequence
|
||
|
||
Improper handling of the full-buffer case in the Zephyr Bluetooth
|
||
implementation can result in memory corruption.
|
||
|
||
This has been fixed in branches for v1.14.0, v2.2.0, and will be
|
||
included in v2.3.0.
|
||
|
||
- `CVE-2020-10061 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10061>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-75
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-75>`_
|
||
|
||
- `PR23516 fix for v2.3 (split driver)
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23516>`_
|
||
|
||
- `PR23517 fix for v2.3 (legacy driver)
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23517>`_
|
||
|
||
- `PR23091 fix for branch from v1.14.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23091>`_
|
||
|
||
- `PR23547 fix for branch from v2.2.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23547>`_
|
||
|
||
CVE-2020-10062
|
||
--------------
|
||
|
||
Packet length decoding error in MQTT
|
||
|
||
CVE: An off-by-one error in the Zephyr project MQTT packet length
|
||
decoder can result in memory corruption and possible remote code
|
||
execution. NCC-ZEP-031
|
||
|
||
The MQTT packet header length can be 1 to 4 bytes. An off-by-one error
|
||
in the code can result in this being interpreted as 5 bytes, which can
|
||
cause an integer overflow, resulting in memory corruption.
|
||
|
||
This has been fixed in main for v2.3.
|
||
|
||
- `CVE-2020-10062 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10062>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-84
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-84>`_
|
||
|
||
- `commit 11b7a37d for v2.3
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/11b7a37d9a0b438270421b224221d91929843de4>`_
|
||
|
||
- `NCC-ZEP report`_ (NCC-ZEP-031)
|
||
|
||
.. _NCC-ZEP report: https://research.nccgroup.com/2020/05/26/research-report-zephyr-and-mcuboot-security-assessment
|
||
|
||
CVE-2020-10063
|
||
--------------
|
||
|
||
Remote Denial of Service in CoAP Option Parsing Due To Integer
|
||
Overflow
|
||
|
||
A remote adversary with the ability to send arbitrary CoAP packets to
|
||
be parsed by Zephyr is able to cause a denial of service.
|
||
|
||
This has been fixed in main for v2.3.
|
||
|
||
- `CVE-2020-10063 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10063>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-55
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-55>`_
|
||
|
||
- `PR24435 fix in main for v2.3
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/24435>`_
|
||
|
||
- `PR24531 fix for branch from v2.2
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/24531>`_
|
||
|
||
- `PR24535 fix for branch from v2.1
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/24535>`_
|
||
|
||
- `PR24530 fix for branch from v1.14
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/24530>`_
|
||
|
||
- `NCC-ZEP report`_ (NCC-ZEP-032)
|
||
|
||
CVE-2020-10064
|
||
--------------
|
||
|
||
Improper Input Frame Validation in ieee802154 Processing
|
||
|
||
- `CVE-2020-10064 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10064>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-65
|
||
<https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-65>`_
|
||
|
||
- `PR24971 fix for v2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/24971>`_
|
||
|
||
- `PR33451 fix for v1.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33451>`_
|
||
|
||
CVE-2020-10065
|
||
--------------
|
||
|
||
OOB Write after not validating user-supplied length (<= 0xffff) and
|
||
copying to fixed-size buffer (default: 77 bytes) for HCI_ACL packets in
|
||
bluetooth HCI over SPI driver.
|
||
|
||
- `CVE-2020-10065 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10065>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-66
|
||
<https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-66>`_
|
||
|
||
- This issue has not been fixed.
|
||
|
||
CVE-2020-10066
|
||
--------------
|
||
|
||
Incorrect Error Handling in Bluetooth HCI core
|
||
|
||
In hci_cmd_done, the buf argument being passed as null causes
|
||
nullpointer dereference.
|
||
|
||
- `CVE-2020-10066 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10066>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-67
|
||
<https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-67>`_
|
||
|
||
- `PR24902 fix for v2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/24902>`_
|
||
|
||
- `PR25089 fix for v1.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/25089>`_
|
||
|
||
CVE-2020-10067
|
||
--------------
|
||
|
||
Integer Overflow In is_in_region Allows User Thread To Access Kernel Memory
|
||
|
||
A malicious userspace application can cause a integer overflow and
|
||
bypass security checks performed by system call handlers. The impact
|
||
would depend on the underlying system call and can range from denial
|
||
of service to information leak to memory corruption resulting in code
|
||
execution within the kernel.
|
||
|
||
See NCC-ZEP-005
|
||
|
||
This has been fixed in releases v1.14.2, and v2.2.0.
|
||
|
||
- `CVE-2020-10067 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10067>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-27
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-27>`_
|
||
|
||
- `PR23653 fix for v1.14.2
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23653>`_
|
||
|
||
- `PR23654 fix for the v2.1 branch
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23654>`_
|
||
|
||
- `PR23239 fix for v2.2.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23239>`_
|
||
|
||
CVE-2020-10068
|
||
--------------
|
||
|
||
Zephyr Bluetooth DLE duplicate requests vulnerability
|
||
|
||
In the Zephyr project Bluetooth subsystem, certain duplicate and
|
||
back-to-back packets can cause incorrect behavior, resulting in a
|
||
denial of service.
|
||
|
||
This has been fixed in branches for v1.14.0, v2.2.0, and will be
|
||
included in v2.3.0.
|
||
|
||
- `CVE-2020-10068 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10068>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-78
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-78>`_
|
||
|
||
- `PR23707 fix for v2.3 (split driver)
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23707>`_
|
||
|
||
- `PR23708 fix for v2.3 (legacy driver)
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23708>`_
|
||
|
||
- `PR23091 fix for branch from v1.14.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23091>`_
|
||
|
||
- `PR23964 fix for v2.2.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23964>`_
|
||
|
||
CVE-2020-10069
|
||
--------------
|
||
|
||
Zephyr Bluetooth unchecked packet data results in denial of service
|
||
|
||
An unchecked parameter in bluetooth data can result in an assertion
|
||
failure, or division by zero, resulting in a denial of service attack.
|
||
|
||
This has been fixed in branches for v1.14.0, v2.2.0, and will be
|
||
included in v2.3.0.
|
||
|
||
- `CVE-2020-10069 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10069>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-81
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-81>`_
|
||
|
||
- `PR23705 fix for v2.3 (split driver)
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23705>`_
|
||
|
||
- `PR23706 fix for v2.3 (legacy driver)
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23706>`_
|
||
|
||
- `PR23091 fix for branch from v1.14.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23091>`_
|
||
|
||
- `PR23963 fix for branch from v2.2.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23963>`_
|
||
|
||
CVE-2020-10070
|
||
--------------
|
||
|
||
MQTT buffer overflow on receive buffer
|
||
|
||
In the Zephyr Project MQTT code, improper bounds checking can result
|
||
in memory corruption and possibly remote code execution. NCC-ZEP-031
|
||
|
||
When calculating the packet length, arithmetic overflow can result in
|
||
accepting a receive buffer larger than the available buffer space,
|
||
resulting in user data being written beyond this buffer.
|
||
|
||
This has been fixed in main for v2.3.
|
||
|
||
- `CVE-2020-10070 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10070>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-85
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-85>`_
|
||
|
||
- `commit 0b39cbf3 for v2.3
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/0b39cbf3c01d7feec9d0dd7cc7e0e374b6113542>`_
|
||
|
||
- `NCC-ZEP report`_ (NCC-ZEP-031)
|
||
|
||
CVE-2020-10071
|
||
--------------
|
||
|
||
Insufficient publish message length validation in MQTT
|
||
|
||
The Zephyr MQTT parsing code performs insufficient checking of the
|
||
length field on publish messages, allowing a buffer overflow and
|
||
potentially remote code execution. NCC-ZEP-031
|
||
|
||
This has been fixed in main for v2.3.
|
||
|
||
- `CVE-2020-10071 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10071>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-86
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-86>`_
|
||
|
||
- `commit 989c4713 fix for v2.3
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/989c4713ba429aa5105fe476b4d629718f3e6082>`_
|
||
|
||
- `NCC-ZEP report`_ (NCC-ZEP-031)
|
||
|
||
CVE-2020-10072
|
||
--------------
|
||
|
||
All threads can access all socket file descriptors
|
||
|
||
There is no management of permissions to network socket API file
|
||
descriptors. Any thread running on the system may read/write a socket
|
||
file descriptor knowing only the numerical value of the file
|
||
descriptor.
|
||
|
||
- `CVE-2020-10072 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10072>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-87
|
||
<https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-87>`_
|
||
|
||
- `PR25804 fix for v2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/25804>`_
|
||
|
||
- `PR27176 fix for v1.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/27176>`_
|
||
|
||
CVE-2020-10136
|
||
-------------------
|
||
|
||
IP-in-IP protocol routes arbitrary traffic by default zephyrproject
|
||
|
||
- `CVE-2020-10136 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10136>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-64
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-64>`_
|
||
|
||
CVE-2020-13598
|
||
--------------
|
||
|
||
FS: Buffer Overflow when enabling Long File Names in FAT_FS and calling fs_stat
|
||
|
||
Performing fs_stat on a file with a filename longer than 12
|
||
characters long will cause a buffer overflow.
|
||
|
||
- `CVE-2020-13598 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13598>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-88
|
||
<https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-88>`_
|
||
|
||
- `PR25852 fix for v2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/25852>`_
|
||
|
||
- `PR28782 fix for v2.3
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/28782>`_
|
||
|
||
- `PR33577 fix for v1.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33577>`_
|
||
|
||
CVE-2020-13599
|
||
--------------
|
||
|
||
Security problem with settings and littlefs
|
||
|
||
When settings is used in combination with littlefs all security
|
||
related information can be extracted from the device using MCUmgr and
|
||
this could be used e.g in bt-mesh to get the device key, network key,
|
||
app keys from the device.
|
||
|
||
- `CVE-2020-13599 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13599>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-57
|
||
<https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-57>`_
|
||
|
||
- `PR26083 fix for v2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/26083>`_
|
||
|
||
CVE-2020-13600
|
||
-------------------
|
||
|
||
Malformed SPI in response for eswifi can corrupt kernel memory
|
||
|
||
|
||
- `CVE-2020-13600 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13600>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-91
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-91>`_
|
||
|
||
- `PR26712 fix for v2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/26712>`_
|
||
|
||
CVE-2020-13601
|
||
--------------
|
||
|
||
Possible read out of bounds in dns read
|
||
|
||
- `CVE-2020-13601 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13601>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-92
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-92>`_
|
||
|
||
- `PR27774 fix for v2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/27774>`_
|
||
|
||
- `PR30503 fix for v1.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/30503>`_
|
||
|
||
CVE-2020-13602
|
||
--------------
|
||
|
||
Remote Denial of Service in LwM2M do_write_op_tlv
|
||
|
||
In the Zephyr LwM2M implementation, malformed input can result in an
|
||
infinite loop, resulting in a denial of service attack.
|
||
|
||
- `CVE-2020-13602 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13602>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-56
|
||
<https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-56>`_
|
||
|
||
- `PR26571 fix for v2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/26571>`_
|
||
|
||
- `PR33578 fix for v1.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33578>`_
|
||
|
||
CVE-2020-13603
|
||
--------------
|
||
|
||
Possible overflow in mempool
|
||
|
||
* Zephyr offers pre-built 'malloc' wrapper function instead.
|
||
* The 'malloc' function is wrapper for the 'sys_mem_pool_alloc' function
|
||
* sys_mem_pool_alloc allocates 'size + WB_UP(sizeof(struct sys_mem_pool_block))' in an unsafe manner.
|
||
* Asking for very large size values leads to internal integer wrap-around.
|
||
* Integer wrap-around leads to successful allocation of very small memory.
|
||
* For example: calling malloc(0xffffffff) leads to successful allocation of 7 bytes.
|
||
* That leads to heap overflow.
|
||
|
||
- `CVE-2020-13603 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13603>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-111
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-111>`_
|
||
|
||
- `PR31796 fix for v2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/31796>`_
|
||
|
||
- `PR32808 fix for v1.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/26571>`_
|
||
|
||
CVE-2021
|
||
========
|
||
|
||
CVE-2021-3319
|
||
-------------
|
||
|
||
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses
|
||
|
||
Improper processing of omitted source and destination addresses in
|
||
ieee802154 frame validation (ieee802154_validate_frame)
|
||
|
||
This has been fixed in main for v2.5.0
|
||
|
||
- `CVE-2020-3319 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3319>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-94jg-2p6q-5364
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364>`_
|
||
|
||
- `PR31908 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/31908>`_
|
||
|
||
CVE-2021-3320
|
||
-------------------
|
||
Mismatch between validation and handling of 802154 ACK frames, where
|
||
ACK frames are considered during validation, but not during actual
|
||
processing, leading to a type confusion.
|
||
|
||
- `CVE-2020-3320 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3320>`_
|
||
|
||
- `PR31908 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/31908>`_
|
||
|
||
CVE-2021-3321
|
||
-------------
|
||
|
||
Incomplete check of minimum IEEE 802154 fragment size leading to an
|
||
integer underflow.
|
||
|
||
- `CVE-2020-3321 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3321>`_
|
||
|
||
- `Zephyr project bug tracker ZEPSEC-114
|
||
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-114>`_
|
||
|
||
- `PR33453 fix for v2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33453>`_
|
||
|
||
CVE-2021-3323
|
||
-------------
|
||
|
||
Integer Underflow in 6LoWPAN IPHC Header Uncompression
|
||
|
||
This has been fixed in main for v2.5.0
|
||
|
||
- `CVE-2020-3323 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3323>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-89j6-qpxf-pfpc
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-89j6-qpxf-pfpc>`_
|
||
|
||
- `PR 31971 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/31971>`_
|
||
|
||
CVE-2021-3430
|
||
-------------
|
||
|
||
Assertion reachable with repeated LL_CONNECTION_PARAM_REQ.
|
||
|
||
This has been fixed in main for v2.6.0
|
||
|
||
- `CVE-2021-3430 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3430>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-46h3-hjcq-2jjr
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-46h3-hjcq-2jjr>`_
|
||
|
||
- `PR 33272 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33272>`_
|
||
|
||
- `PR 33369 fix for 2.5
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33369>`_
|
||
|
||
- `PR 33759 fix for 1.14.2
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33759>`_
|
||
|
||
CVE-2021-3431
|
||
-------------
|
||
|
||
BT: Assertion failure on repeated LL_FEATURE_REQ
|
||
|
||
This has been fixed in main for v2.6.0
|
||
|
||
- `CVE-2021-3431 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3431>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-7548-5m6f-mqv9
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7548-5m6f-mqv9>`_
|
||
|
||
- `PR 33340 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33340>`_
|
||
|
||
- `PR 33369 fix for 2.5
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33369>`_
|
||
|
||
CVE-2021-3432
|
||
-------------
|
||
|
||
Invalid interval in CONNECT_IND leads to Division by Zero
|
||
|
||
This has been fixed in main for v2.6.0
|
||
|
||
- `CVE-2021-3432 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3432>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-7364-p4wc-8mj4
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7364-p4wc-8mj4>`_
|
||
|
||
- `PR 33278 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33278>`_
|
||
|
||
- `PR 33369 fix for 2.5
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33369>`_
|
||
|
||
CVE-2021-3433
|
||
-------------
|
||
|
||
BT: Invalid channel map in CONNECT_IND results to Deadlock
|
||
|
||
This has been fixed in main for v2.6.0
|
||
|
||
- `CVE-2021-3433 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3433>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-3c2f-w4v6-qxrp
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3c2f-w4v6-qxrp>`_
|
||
|
||
- `PR 33278 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33278>`_
|
||
|
||
- `PR 33369 fix for 2.5
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33369>`_
|
||
|
||
CVE-2021-3434
|
||
-------------
|
||
|
||
L2CAP: Stack based buffer overflow in le_ecred_conn_req()
|
||
|
||
This has been fixed in main for v2.6.0
|
||
|
||
- `CVE-2021-3434 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3434>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-8w87-6rfp-cfrm
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8w87-6rfp-cfrm>`_
|
||
|
||
- `PR 33305 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33305>`_
|
||
|
||
- `PR 33419 fix for 2.5
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33419>`_
|
||
|
||
- `PR 33418 fix for 1.14.2
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33418>`_
|
||
|
||
CVE-2021-3435
|
||
-------------
|
||
|
||
L2CAP: Information leakage in le_ecred_conn_req()
|
||
|
||
This has been fixed in main for v2.6.0
|
||
|
||
- `CVE-2021-3435 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3435>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-xhg3-gvj6-4rqh
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xhg3-gvj6-4rqh>`_
|
||
|
||
- `PR 33305 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33305>`_
|
||
|
||
- `PR 33419 fix for 2.5
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33419>`_
|
||
|
||
- `PR 33418 fix for 1.14.2
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33418>`_
|
||
|
||
CVE-2021-3436
|
||
-------------
|
||
|
||
Bluetooth: Possible to overwrite an existing bond during keys
|
||
distribution phase when the identity address of the bond is known
|
||
|
||
During the distribution of the identity address information we don’t
|
||
check for an existing bond with the same identity address.This means
|
||
that a duplicate entry will be created in RAM while the newest entry
|
||
will overwrite the existing one in persistent storage.
|
||
|
||
This has been fixed in main for v2.6.0
|
||
|
||
- `CVE-2021-3436 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3436>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-j76f-35mc-4h63
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63>`_
|
||
|
||
- `PR 33266 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33266>`_
|
||
|
||
- `PR 33432 fix for 2.5
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33432>`_
|
||
|
||
- `PR 33433 fix for 2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33433>`_
|
||
|
||
- `PR 33718 fix for 1.14.2
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33718>`_
|
||
|
||
CVE-2021-3454
|
||
-------------
|
||
|
||
Truncated L2CAP K-frame causes assertion failure
|
||
|
||
For example, sending L2CAP K-frame where SDU length field is truncated
|
||
to only one byte, causes assertion failure in previous releases of
|
||
Zephyr. This has been fixed in master by commit 0ba9437 but has not
|
||
yet been backported to older release branches.
|
||
|
||
This has been fixed in main for v2.6.0
|
||
|
||
- `CVE-2021-3454 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3454>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-fx88-6c29-vrp3
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-vrp3>`_
|
||
|
||
- `PR 32588 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/32588>`_
|
||
|
||
- `PR 33513 fix for 2.5
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33513>`_
|
||
|
||
- `PR 33514 fix for 2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/33514>`_
|
||
|
||
CVE-2021-3455
|
||
-------------
|
||
|
||
Disconnecting L2CAP channel right after invalid ATT request leads freeze
|
||
|
||
When Central device connects to peripheral and creates L2CAP
|
||
connection for Enhanced ATT, sending some invalid ATT request and
|
||
disconnecting immediately causes freeze.
|
||
|
||
This has been fixed in main for v2.6.0
|
||
|
||
- `CVE-2021-3455 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3455>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-7g38-3x9v-v7vp
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp>`_
|
||
|
||
- `PR 35597 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/35597>`_
|
||
|
||
- `PR 36104 fix for 2.5
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/36104>`_
|
||
|
||
- `PR 36105 fix for 2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/36105>`_
|
||
|
||
CVE-2021-3510
|
||
-------------
|
||
|
||
Zephyr JSON decoder incorrectly decodes array of array
|
||
|
||
When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token
|
||
type JSON_TOK_LIST_START, but then assigns to the object part of the
|
||
union. arr_parse then takes the offset of the array-object (which has
|
||
nothing todo with the list) treats it as relative to the parent
|
||
object, and stores the length of the subarray in there.
|
||
|
||
This has been fixed in main for v2.7.0
|
||
|
||
- `CVE-2021-3510 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3510>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-289f-7mw3-2qf4
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4>`_
|
||
|
||
- `PR 36340 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/36340>`_
|
||
|
||
- `PR 37816 fix for 2.6
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/37816>`_
|
||
|
||
CVE-2021-3581
|
||
-------------
|
||
|
||
HCI data not properly checked leads to memory overflow in the Bluetooth stack
|
||
|
||
In the process of setting SCAN_RSP through the HCI command, the Zephyr
|
||
Bluetooth protocol stack did not effectively check the length of the
|
||
incoming HCI data. Causes memory overflow, and then the data in the
|
||
memory is overwritten, and may even cause arbitrary code execution.
|
||
|
||
This has been fixed in main for v2.6.0
|
||
|
||
- `CVE-2021-3581 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3581>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-8q65-5gqf-fmw5
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8q65-5gqf-fmw5>`_
|
||
|
||
- `PR 35935 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/35935>`_
|
||
|
||
- `PR 35984 fix for 2.5
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/35984>`_
|
||
|
||
- `PR 35985 fix for 2.4
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/35985>`_
|
||
|
||
- `PR 35985 fix for 1.14
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/35985>`_
|
||
|
||
CVE-2021-3625
|
||
-------------
|
||
|
||
Buffer overflow in Zephyr USB DFU DNLOAD
|
||
|
||
This has been fixed in main for v2.6.0
|
||
|
||
- `CVE-2021-3625 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3625>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-c3gr-hgvr-f363
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c3gr-hgvr-f363>`_
|
||
|
||
- `PR 36694 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/36694>`_
|
||
|
||
CVE-2021-3835
|
||
-------------
|
||
|
||
Buffer overflow in Zephyr USB device class
|
||
|
||
This has been fixed in main for v3.0.0
|
||
|
||
- `CVE-2021-3835 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3835>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-fm6v-8625-99jf
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fm6v-8625-99jf>`_
|
||
|
||
- `PR 42093 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/42093>`_
|
||
|
||
- `PR 42167 fix for 2.7
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/42167>`_
|
||
|
||
CVE-2021-3861
|
||
-------------
|
||
|
||
Buffer overflow in the RNDIS USB device class
|
||
|
||
This has been fixed in main for v3.0.0
|
||
|
||
- `CVE-2021-3861 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3861>`_
|
||
|
||
- `Zephyr project bug tracker GHSA-hvfp-w4h8-gxvj
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hvfp-w4h8-gxvj>`_
|
||
|
||
- `PR 39725 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/39725>`_
|
||
|
||
CVE-2021-3966
|
||
-------------
|
||
|
||
Usb bluetooth device ACL read cb buffer overflow
|
||
|
||
This has been fixed in main for v3.0.0
|
||
|
||
- `Zephyr project bug tracker GHSA-hfxq-3w6x-fv2m
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hfxq-3w6x-fv2m>`_
|
||
|
||
- `PR 42093 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/42093>`_
|
||
|
||
- `PR 42167 fix for v2.7.0
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/42167>`_
|
||
|
||
CVE-2022-0553
|
||
-------------
|
||
|
||
Possible to retrieve unencrypted firmware image
|
||
|
||
This has been fixed in main for v3.0.0
|
||
|
||
- `Zephyr project bug tracker GHSA-wrj2-9vj9-rrcp
|
||
<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wrj2-9vj9-rrcp>`_
|
||
|
||
- `PR 42424 fix for main
|
||
<https://github.com/zephyrproject-rtos/zephyr/pull/42424>`_
|
||
|
||
CVE-2022-1041
|
||
--------------
|
||
|
||
Under embargo until 2022/06/19
|
||
|
||
CVE-2022-1042
|
||
--------------
|
||
|
||
Under embargo until 2022/06/19
|
||
|
||
CVE-2022-1841
|
||
--------------
|
||
|
||
Under embargo until 2022/08/18
|