CVE-2022-39343

Azure RTOS FileX is a FAT-compatible file system that’s fully integrated with Azure RTOS ThreadX. In versions before 6.2.0, the Fault Tolerant feature of Azure RTOS FileX includes integer under and overflows which may be exploited to achieve buffer overflow and modify memory contents. When a valid log file with correct ID and checksum is detected by the `_fx_fault_tolerant_enable` function an attempt to recover the previous failed write operation is taken by call of `_fx_fault_tolerant_apply_logs`. This function iterates through the log entries and performs required recovery operations. When properly crafted a log including entries of type `FX_FAULT_TOLERANT_DIR_LOG_TYPE` may be utilized to introduce unexpected behavior. This issue has been patched in version 6.2.0. A workaround to fix line 218 in fx_fault_tolerant_apply_logs.c is documented in the GHSA.

CVSS v3 5.6 MEDIUM

5.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/azure-rtos/filex/blob/master/common/src/fx_fault_tolerant_apply_logs.c#L218	Patch Third Party Advisory
https://github.com/azure-rtos/filex/security/advisories/GHSA-8jqf-wjhq-4w9f	Exploit Mitigation Third Party Advisory
https://github.com/azure-rtos/filex/blob/master/common/src/fx_fault_tolerant_apply_logs.c#L218	Patch Third Party Advisory
https://github.com/azure-rtos/filex/security/advisories/GHSA-8jqf-wjhq-4w9f	Exploit Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:microsoft:azure_rtos_filex:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:18

Type	Values Removed	Values Added
References	~~() https://github.com/azure-rtos/filex/blob/master/common/src/fx_fault_tolerant_apply_logs.c#L218 - Patch, Third Party Advisory~~	() https://github.com/azure-rtos/filex/blob/master/common/src/fx_fault_tolerant_apply_logs.c#L218 - Patch, Third Party Advisory
References	~~() https://github.com/azure-rtos/filex/security/advisories/GHSA-8jqf-wjhq-4w9f - Exploit, Mitigation, Third Party Advisory~~	() https://github.com/azure-rtos/filex/security/advisories/GHSA-8jqf-wjhq-4w9f - Exploit, Mitigation, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~7.8~~	v2 : unknown v3 : 5.6

Information

Published : 2022-11-08 08:15

Updated : 2024-11-21 07:18

NVD link : CVE-2022-39343

Mitre link : CVE-2022-39343

CVE.ORG link : CVE-2022-39343

JSON object : View

Products Affected

microsoft

azure_rtos_filex

CWE

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-190

Integer Overflow or Wraparound

CWE-191

Integer Underflow (Wrap or Wraparound)

{"id": "CVE-2022-39343", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2022-11-08T08:15:09.537", "references": [{"url": "https://github.com/azure-rtos/filex/blob/master/common/src/fx_fault_tolerant_apply_logs.c#L218", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/azure-rtos/filex/security/advisories/GHSA-8jqf-wjhq-4w9f", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/azure-rtos/filex/blob/master/common/src/fx_fault_tolerant_apply_logs.c#L218", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/azure-rtos/filex/security/advisories/GHSA-8jqf-wjhq-4w9f", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-120"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-191"}]}], "descriptions": [{"lang": "en", "value": "Azure RTOS FileX is a FAT-compatible file system that\u2019s fully integrated with Azure RTOS ThreadX. In versions before 6.2.0, the Fault Tolerant feature of Azure RTOS FileX includes integer under and overflows which may be exploited to achieve buffer overflow and modify memory contents. When a valid log file with correct ID and checksum is detected by the `_fx_fault_tolerant_enable` function an attempt to recover the previous failed write operation is taken by call of `_fx_fault_tolerant_apply_logs`. This function iterates through the log entries and performs required recovery operations. When properly crafted a log including entries of type `FX_FAULT_TOLERANT_DIR_LOG_TYPE` may be utilized to introduce unexpected behavior. This issue has been patched in version 6.2.0. A workaround to fix line 218 in fx_fault_tolerant_apply_logs.c is documented in the GHSA."}, {"lang": "es", "value": "Azure RTOS FileX es un sistema de archivos compatible con FAT que est\u00e1 completamente integrado con Azure RTOS ThreadX. En versiones anteriores a la 6.2.0, la caracter\u00edstica Tolerante a fallos de Azure RTOS FileX incluye desbordamientos y subestimaciones de enteros que pueden aprovecharse para lograr un desbordamiento del b\u00fafer y modificar el contenido de la memoria. Cuando la funci\u00f3n `_fx_fault_tolerant_enable` detecta un archivo de registro v\u00e1lido con ID y suma de verificaci\u00f3n correctos, se intenta recuperar la operaci\u00f3n de escritura fallida anterior mediante la llamada de `_fx_fault_tolerant_apply_logs`. Esta funci\u00f3n recorre en iteraci\u00f3n las entradas del registro y realiza las operaciones de recuperaci\u00f3n necesarias. Cuando se elabora correctamente, se puede utilizar un registro que incluya entradas del tipo `FX_FAULT_TOLERANT_DIR_LOG_TYPE` para introducir comportamientos inesperados. Este problema se solucion\u00f3 en la versi\u00f3n 6.2.0. En GHSA se documenta un workaround alternativo para corregir la l\u00ednea 218 en fx_fault_tolerant_apply_logs.c."}], "lastModified": "2024-11-21T07:18:04.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:azure_rtos_filex:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DDA74F57-5852-4584-82B6-FF1D07B311C9", "versionEndExcluding": "6.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

5.6 /10