2020-03-05 01:02:56 +01:00
|
|
|
.. _vulnerabilities:
|
|
|
|
|
|
|
|
Vulnerabilities
|
|
|
|
###############
|
|
|
|
|
|
|
|
This page collects all of the vulnerabilities that are discovered and
|
|
|
|
fixed in each release. It will also often have more details than is
|
|
|
|
available in the releases. Some vulnerabilities are deemed to be
|
|
|
|
sensitive, and will not be publically discussed until there is
|
|
|
|
sufficient time to fix them. Because the release notes are locked to
|
|
|
|
a version, the information here can be updated after the embargo is
|
|
|
|
lifted.
|
|
|
|
|
2020-04-30 22:26:37 +02:00
|
|
|
CVE-2017
|
|
|
|
========
|
|
|
|
|
|
|
|
CVE-2017-14199
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Buffer overflow in :code:`getaddrinfo()`.
|
|
|
|
|
|
|
|
- `CVE-2017-14199 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14199>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-12
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-12>`_
|
|
|
|
|
|
|
|
- `PR6158 fix for 1.11.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/6158>`_
|
|
|
|
|
|
|
|
CVE-2017-14201
|
|
|
|
--------------
|
|
|
|
|
|
|
|
The shell DNS command can cause unpredictable results due to misuse of
|
|
|
|
stack variables.
|
|
|
|
|
|
|
|
Use After Free vulnerability in the Zephyr shell allows a serial or
|
|
|
|
telnet connected user to cause denial of service, and possibly remote
|
|
|
|
code execution.
|
|
|
|
|
|
|
|
This has been fixed in release v1.14.0.
|
|
|
|
|
|
|
|
- `CVE-2017-14201 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14201>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-17
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-17>`_
|
|
|
|
|
|
|
|
- `PR13260 fix for v1.14.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/13260>`_
|
|
|
|
|
|
|
|
CVE-2017-14202
|
|
|
|
--------------
|
|
|
|
|
|
|
|
The shell implementation does not protect against buffer overruns
|
|
|
|
resulting in unpredicable behavior.
|
|
|
|
|
|
|
|
Improper Restriction of Operations within the Bounds of a Memory
|
|
|
|
Buffer vulnerability in the shell component of Zephyr allows a serial
|
|
|
|
or telnet connected user to cause a crash, possibly with arbitrary
|
|
|
|
code execution.
|
|
|
|
|
|
|
|
This has been fixed in release v1.14.0.
|
|
|
|
|
|
|
|
- `CVE-2017-14202 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14202>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-18
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-18>`_
|
|
|
|
|
|
|
|
- `PR13048 fix for v1.14.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/13048>`_
|
|
|
|
|
|
|
|
CVE-2019
|
|
|
|
========
|
|
|
|
|
|
|
|
CVE-2019-9506
|
|
|
|
-------------
|
|
|
|
|
|
|
|
The Bluetooth BR/EDR specification up to and including version 5.1
|
|
|
|
permits sufficiently low encryption key length and does not prevent an
|
|
|
|
attacker from influencing the key length negotiation. This allows
|
|
|
|
practical brute-force attacks (aka "KNOB") that can decrypt traffic
|
|
|
|
and inject arbitrary ciphertext without the victim noticing.
|
|
|
|
|
|
|
|
- `CVE-2019-9506 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9506>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-20
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-20>`_
|
|
|
|
|
|
|
|
- `PR18702 fix for v1.14.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/18702>`_
|
|
|
|
|
|
|
|
- `PR18659 fix for v2.0.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/18659>`_
|
|
|
|
|
|
|
|
CVE-2020
|
|
|
|
========
|
|
|
|
|
|
|
|
CVE-2020-10019
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Buffer Overflow vulnerability in USB DFU of zephyr allows a USB
|
|
|
|
connected host to cause possible remote code execution.
|
|
|
|
|
|
|
|
This has been fixed in releases v1.14.2, v2.2.0, and v2.1.1.
|
|
|
|
|
|
|
|
- `CVE-2020-10019 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10019>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-25
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-25>`_
|
|
|
|
|
|
|
|
- `PR23460 fix for 1.14.x
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23460>`_
|
|
|
|
|
|
|
|
- `PR23457 fix for 2.1.x
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23457>`_
|
|
|
|
|
|
|
|
- `PR23190 fix in 2.2.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23190>`_
|
|
|
|
|
|
|
|
CVE-2020-10021
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Out-of-bounds write in USB Mass Storage with unaligned sizes
|
|
|
|
|
|
|
|
Out-of-bounds Write in the USB Mass Storage memoryWrite handler with
|
|
|
|
unaligned Sizes.
|
|
|
|
|
|
|
|
See NCC-ZEP-024, NCC-ZEP-025, NCC-ZEP-026
|
|
|
|
|
|
|
|
This has been fixed in releases v1.14.2, and v2.2.0.
|
|
|
|
|
|
|
|
- `CVE-2020-10021 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10021>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-26
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-26>`_
|
|
|
|
|
|
|
|
- `PR23455 fix for v1.14.2
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23455>`_
|
|
|
|
|
|
|
|
- `PR23456 fix for the v2.1 branch
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23456>`_
|
|
|
|
|
|
|
|
- `PR23240 fix for v2.2.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23240>`_
|
|
|
|
|
|
|
|
CVE-2020-10022
|
|
|
|
--------------
|
|
|
|
|
|
|
|
UpdateHub Module Copies a Variable-Size Hash String Into a Fixed-Size Array
|
|
|
|
|
|
|
|
A malformed JSON payload that is received from an UpdateHub server may
|
|
|
|
trigger memory corruption in the Zephyr OS. This could result in a
|
|
|
|
denial of service in the best case, or code execution in the worst
|
|
|
|
case.
|
|
|
|
|
|
|
|
See NCC-ZEP-016
|
|
|
|
|
|
|
|
This has been fixed in the below pull requests for master, branch from
|
|
|
|
v2.1.0, and branch from v2.2.0.
|
|
|
|
|
|
|
|
- `CVE-2020-10022 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10022>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-28
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-28>`_
|
|
|
|
|
|
|
|
- `PR24154 fix for master
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/24154>`_
|
|
|
|
|
|
|
|
- `PR24065 fix for branch from v2.1.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/24065>`_
|
|
|
|
|
|
|
|
- `PR24066 fix for branch from v2.2.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/24066>`_
|
|
|
|
|
|
|
|
CVE-2020-10023
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Shell Subsystem Contains a Buffer Overflow Vulnerability In
|
|
|
|
shell_spaces_trim
|
|
|
|
|
|
|
|
The shell subsystem contains a buffer overflow, whereby an adversary
|
|
|
|
with physical access to the device is able to cause a memory
|
|
|
|
corruption, resulting in denial of service or possibly code execution
|
|
|
|
within the Zephyr kernel.
|
|
|
|
|
|
|
|
See NCC-ZEP-019
|
|
|
|
|
|
|
|
This has been fixed in releases v1.14.2, v2.2.0, and in a branch from
|
|
|
|
v2.1.0,
|
|
|
|
|
|
|
|
- `CVE-2020-10023 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10023>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-29
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-29>`_
|
|
|
|
|
|
|
|
- `PR23646 fix for v1.14.2
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23646>`_
|
|
|
|
|
|
|
|
- `PR23649 fix for branch from v2.1.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23649>`_
|
|
|
|
|
|
|
|
- `PR23304 fix for v2.2.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23304>`_
|
|
|
|
|
|
|
|
CVE-2020-10024
|
|
|
|
--------------
|
|
|
|
|
|
|
|
ARM Platform Uses Signed Integer Comparison When Validating Syscall
|
|
|
|
Numbers
|
|
|
|
|
|
|
|
The arm platform-specific code uses a signed integer comparison when
|
|
|
|
validating system call numbers. An attacker who has obtained code
|
|
|
|
execution within a user thread is able to elevate privileges to that
|
|
|
|
of the kernel.
|
|
|
|
|
|
|
|
See NCC-ZEP-001
|
|
|
|
|
|
|
|
This has been fixed in releases v1.14.2, and v2.2.0, and in a branch
|
|
|
|
from v2.1.0,
|
|
|
|
|
|
|
|
- `CVE-2020-10024 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10024>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-30
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-30>`_
|
|
|
|
|
|
|
|
- `PR23535 fix for v1.14.2
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23535>`_
|
|
|
|
|
|
|
|
- `PR23498 fix for branch from v2.1.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23498>`_
|
|
|
|
|
|
|
|
- `PR23323 fix for v2.2.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23323>`_
|
|
|
|
|
|
|
|
CVE-2020-10027
|
|
|
|
--------------
|
|
|
|
|
|
|
|
ARC Platform Uses Signed Integer Comparison When Validating Syscall
|
|
|
|
Numbers
|
|
|
|
|
|
|
|
An attacker who has obtained code execution within a user thread is
|
|
|
|
able to elevate privileges to that of the kernel.
|
|
|
|
|
|
|
|
See NCC-ZEP-001
|
|
|
|
|
|
|
|
This has been fixed in releases v1.14.2, and v2.2.0, and in a branch
|
|
|
|
from v2.1.0.
|
|
|
|
|
|
|
|
- `CVE-2020-10027 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10027>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-35
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-35>`_
|
|
|
|
|
|
|
|
- `PR23500 fix for v1.14.2
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23500>`_
|
|
|
|
|
|
|
|
- `PR23499 fix for branch from v2.1.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23499>`_
|
|
|
|
|
|
|
|
- `PR23328 fix for v2.2.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23328>`_
|
|
|
|
|
|
|
|
CVE-2020-10028
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Multiple Syscalls In GPIO Subsystem Performs No Argument Validation
|
|
|
|
|
|
|
|
Multiple syscalls with insufficient argument validation
|
|
|
|
|
|
|
|
See NCC-ZEP-006
|
|
|
|
|
|
|
|
This has been fixed in releases v1.14.2, and v2.2.0, and in a branch
|
|
|
|
from v2.1.0.
|
|
|
|
|
|
|
|
- `CVE-2020-10028 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10028>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-32
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-32>`_
|
|
|
|
|
|
|
|
- `PR23733 fix for v1.14.2
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23733>`_
|
|
|
|
|
|
|
|
- `PR23737 fix for branch from v2.1.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23737>`_
|
|
|
|
|
|
|
|
- `PR23308 fix for v2.2.0 (gpio patch)
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23308>`_
|
|
|
|
|
|
|
|
CVE-2020-10058
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Multiple Syscalls In kscan Subsystem Performs No Argument Validation
|
|
|
|
|
|
|
|
Multiple syscalls in the Kscan subsystem perform insufficient argument
|
|
|
|
validation, allowing code executing in userspace to potentially gain
|
|
|
|
elevated privileges.
|
|
|
|
|
|
|
|
See NCC-ZEP-006
|
|
|
|
|
|
|
|
This has been fixed in a branch from v2.1.0, and release v2.2.0.
|
|
|
|
|
|
|
|
- `CVE-2020-10058 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10058>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-34
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-34>`_
|
|
|
|
|
|
|
|
- `PR23748 fix for branch from v2.1.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23748>`_
|
|
|
|
|
|
|
|
- `PR23308 fix for v2.2.0 (kscan patch)
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23308>`_
|
|
|
|
|
|
|
|
CVE-2020-10059
|
|
|
|
--------------
|
|
|
|
|
|
|
|
UpdateHub Module Explicitly Disables TLS Verification
|
|
|
|
|
|
|
|
The UpdateHub module disables DTLS peer checking, which allows for a
|
|
|
|
man in the middle attack. This is mitigated by firmware images
|
|
|
|
requiring valid signatures. However, there is no benefit to using DTLS
|
|
|
|
without the peer checking.
|
|
|
|
|
|
|
|
See NCC-ZEP-018
|
|
|
|
|
|
|
|
This has been fixed in a PR against Zephyr master.
|
|
|
|
|
|
|
|
- `CVE-2020-10059 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10059>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-36
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-36>`_
|
|
|
|
|
|
|
|
- `PR24954 fix on master (to be fixed in v2.3.0)
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/24954>`_
|
|
|
|
|
|
|
|
- `PR24954 fix v2.1.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/24999>`_
|
|
|
|
|
|
|
|
- `PR24954 fix v2.2.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/24997>`_
|
|
|
|
|
|
|
|
CVE-2020-10060
|
|
|
|
--------------
|
|
|
|
|
|
|
|
UpdateHub Might Dereference An Uninitialized Pointer
|
|
|
|
|
|
|
|
In updatehub_probe, right after JSON parsing is complete, objects\[1]
|
|
|
|
is accessed from the output structure in two different places. If the
|
|
|
|
JSON contained less than two elements, this access would reference
|
|
|
|
unitialized stack memory. This could result in a crash, denial of
|
|
|
|
service, or possibly an information leak.
|
|
|
|
|
|
|
|
Recommend disabling updatehub until such a time as a fix can be made
|
|
|
|
available.
|
|
|
|
|
|
|
|
See NCC-ZEP-030
|
|
|
|
|
|
|
|
This issue has not been fixed.
|
|
|
|
|
|
|
|
- `CVE-2020-10060 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10060>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-37
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-37>`_
|
|
|
|
|
2020-05-26 23:08:39 +02:00
|
|
|
CVE-2020-10061
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Error handling invalid packet sequence
|
|
|
|
|
|
|
|
Improper handling of the full-buffer case in the Zephyr Bluetooth
|
|
|
|
implementation can result in memory corruption.
|
|
|
|
|
|
|
|
This has been fixed in branches for v1.14.0, v2.2.0, and will be
|
|
|
|
included in v2.3.0.
|
|
|
|
|
|
|
|
- `CVE-2020-10061 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10061>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-75
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-75>`_
|
|
|
|
|
|
|
|
- `PR23516 fix for v2.3 (split driver)
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23516>`_
|
|
|
|
|
|
|
|
- `PR23517 fix for v2.3 (legacy driver)
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23517>`_
|
|
|
|
|
|
|
|
- `PR23091 fix for branch from v1.14.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23091>`_
|
|
|
|
|
|
|
|
- `PR23547 fix for branch from v2.2.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23547>`_
|
|
|
|
|
2020-05-11 19:50:32 +02:00
|
|
|
CVE-2020-10062
|
|
|
|
--------------
|
|
|
|
|
2020-05-26 23:08:39 +02:00
|
|
|
Packet length decoding error in MQTT
|
|
|
|
|
|
|
|
CVE: An off-by-one error in the Zephyr project MQTT packet length
|
|
|
|
decoder can result in memory corruption and possible remote code
|
|
|
|
execution. NCC-ZEP-031
|
|
|
|
|
|
|
|
The MQTT packet header length can be 1 to 4 bytes. An off-by-one error
|
|
|
|
in the code can result in this being interpreted as 5 bytes, which can
|
|
|
|
cause an integer overflow, resulting in memory corruption.
|
|
|
|
|
|
|
|
This has been fixed in master for v2.3.
|
|
|
|
|
|
|
|
- `CVE-2020-10062 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10062>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-84
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-84>`_
|
|
|
|
|
|
|
|
- `commit 11b7a37d for v2.3
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/11b7a37d9a0b438270421b224221d91929843de4>`_
|
|
|
|
|
|
|
|
- `NCC-ZEP report`_ (NCC-ZEP-031)
|
|
|
|
|
|
|
|
.. _NCC-ZEP report: https://research.nccgroup.com/2020/05/26/research-report-zephyr-and-mcuboot-security-assessment
|
2020-05-11 19:50:32 +02:00
|
|
|
|
|
|
|
CVE-2020-10063
|
|
|
|
--------------
|
|
|
|
|
2020-05-26 23:08:39 +02:00
|
|
|
Remote Denial of Service in CoAP Option Parsing Due To Integer
|
|
|
|
Overflow
|
|
|
|
|
|
|
|
A remote adversary with the ability to send arbitrary CoAP packets to
|
|
|
|
be parsed by Zephyr is able to cause a denial of service.
|
|
|
|
|
|
|
|
This has been fixed in master for v2.3.
|
|
|
|
|
|
|
|
- `CVE-2020-10063 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10063>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-55
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-55>`_
|
|
|
|
|
|
|
|
- `PR24435 fix in master for v2.3
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/24435>`_
|
|
|
|
|
|
|
|
- `PR24531 fix for branch from v2.2
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/24531>`_
|
|
|
|
|
|
|
|
- `PR24535 fix for branch from v2.1
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/24535>`_
|
|
|
|
|
|
|
|
- `PR24530 fix for branch from v1.14
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/24530>`_
|
|
|
|
|
|
|
|
- `NCC-ZEP report`_ (NCC-ZEP-032)
|
2020-05-11 19:50:32 +02:00
|
|
|
|
2020-04-30 22:26:37 +02:00
|
|
|
CVE-2020-10067
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Integer Overflow In is_in_region Allows User Thread To Access Kernel Memory
|
|
|
|
|
|
|
|
A malicious userspace application can cause a integer overflow and
|
|
|
|
bypass security checks performed by system call handlers. The impact
|
|
|
|
would depend on the underlying system call and can range from denial
|
|
|
|
of service to information leak to memory corruption resulting in code
|
|
|
|
execution within the kernel.
|
|
|
|
|
|
|
|
See NCC-ZEP-005
|
|
|
|
|
|
|
|
This has been fixed in releases v1.14.2, and v2.2.0.
|
|
|
|
|
|
|
|
- `CVE-2020-10067 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10067>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-27
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-27>`_
|
|
|
|
|
|
|
|
- `PR23653 fix for v1.14.2
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23653>`_
|
|
|
|
|
|
|
|
- `PR23654 fix for the v2.1 branch
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23654>`_
|
|
|
|
|
|
|
|
- `PR23239 fix for v2.2.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23239>`_
|
2020-05-26 23:08:39 +02:00
|
|
|
|
|
|
|
CVE-2020-10068
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Zephyr Bluetooth DLE duplicate requests vulnerability
|
|
|
|
|
|
|
|
In the Zephyr project Bluetooth subsystem, certain duplicate and
|
|
|
|
back-to-back packets can cause incorrect behavior, resulting in a
|
|
|
|
denial of service.
|
|
|
|
|
|
|
|
This has been fixed in branches for v1.14.0, v2.2.0, and will be
|
|
|
|
included in v2.3.0.
|
|
|
|
|
|
|
|
- `CVE-2020-10068 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10068>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-78
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-78>`_
|
|
|
|
|
|
|
|
- `PR23707 fix for v2.3 (split driver)
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23707>`_
|
|
|
|
|
|
|
|
- `PR23708 fix for v2.3 (legacy driver)
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23708>`_
|
|
|
|
|
|
|
|
- `PR23091 fix for branch from v1.14.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23091>`_
|
|
|
|
|
|
|
|
- `PR23964 fix for v2.2.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23964>`_
|
|
|
|
|
|
|
|
CVE-2020-10069
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Zephyr Bluetooth unchecked packet data results in denial of service
|
|
|
|
|
|
|
|
An unchecked parameter in bluetooth data can result in an assertion
|
|
|
|
failure, or division by zero, resulting in a denial of service attack.
|
|
|
|
|
|
|
|
This has been fixed in branches for v1.14.0, v2.2.0, and will be
|
|
|
|
included in v2.3.0.
|
|
|
|
|
|
|
|
- `CVE-2020-10069 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10069>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-81
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-81>`_
|
|
|
|
|
|
|
|
- `PR23705 fix for v2.3 (split driver)
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23705>`_
|
|
|
|
|
|
|
|
- `PR23706 fix for v2.3 (legacy driver)
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23706>`_
|
|
|
|
|
|
|
|
- `PR23091 fix for branch from v1.14.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23091>`_
|
|
|
|
|
|
|
|
- `PR23963 fix for branch from v2.2.0
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23963>`_
|
|
|
|
|
|
|
|
CVE-2020-10070
|
|
|
|
--------------
|
|
|
|
|
|
|
|
MQTT buffer overflow on receive buffer
|
|
|
|
|
|
|
|
In the Zephyr Project MQTT code, improper bounds checking can result
|
|
|
|
in memory corruption and possibly remote code execution. NCC-ZEP-031
|
|
|
|
|
|
|
|
When calculating the packet length, arithmetic overflow can result in
|
|
|
|
accepting a receive buffer larger than the available buffer space,
|
|
|
|
resulting in user data being written beyond this buffer.
|
|
|
|
|
|
|
|
This has been fixed in master for v2.3.
|
|
|
|
|
|
|
|
- `CVE-2020-10070 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10070>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-85
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-85>`_
|
|
|
|
|
|
|
|
- `commit 0b39cbf3 for v2.3
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/0b39cbf3c01d7feec9d0dd7cc7e0e374b6113542>`_
|
|
|
|
|
|
|
|
- `NCC-ZEP report`_ (NCC-ZEP-031)
|
|
|
|
|
|
|
|
CVE-2020-10071
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Insufficient publish message length validation in MQTT
|
|
|
|
|
|
|
|
The Zephyr MQTT parsing code performs insufficient checking of the
|
|
|
|
length field on publish messages, allowing a buffer overflow and
|
|
|
|
potentially remote code execution. NCC-ZEP-031
|
|
|
|
|
|
|
|
This has been fixed in master for v2.3.
|
|
|
|
|
|
|
|
- `CVE-2020-10071 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10071>`_
|
|
|
|
|
|
|
|
- `Zephyr project bug tracker ZEPSEC-86
|
|
|
|
<https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-86>`_
|
|
|
|
|
|
|
|
- `commit 989c4713 fix for v2.3
|
|
|
|
<https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/989c4713ba429aa5105fe476b4d629718f3e6082>`_
|
|
|
|
|
|
|
|
- `NCC-ZEP report`_ (NCC-ZEP-031)
|