CVE-2024-48981

{"id": "CVE-2024-48981", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-11-20T20:15:19.097", "references": [{"url": "https://github.com/mbed-ce/mbed-os/blob/54e8693ef4ff7e025018094f290a1d5cf380941f/connectivity/FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c#L161", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/mbed-ce/mbed-os/pull/374", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-120"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-120"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in MBed OS 6.16.0. During processing of HCI packets, the software dynamically determines the length of the packet header by looking up the identifying first byte and matching it against a table of possible lengths. The initial parsing function, hciTrSerialRxIncoming does not drop packets with invalid identifiers but also does not set a safe default for the length of unknown packets' headers, leading to a buffer overflow. This can be leveraged into an arbitrary write by an attacker. It is possible to overwrite the pointer to a not-yet-allocated buffer that is supposed to receive the contents of the packet body. One can then overwrite the state variable used by the function to determine which state of packet parsing is currently occurring. Because the buffer is allocated when the last byte of the header has been copied, the combination of having a bad header length variable that will never match the counter variable and being able to overwrite the state variable with the resulting buffer overflow can be used to advance the function to the next step while skipping the buffer allocation and resulting pointer write. The next 16 bytes from the packet body are then written wherever the corrupted data pointer is pointing."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en MBed OS 6.16.0. Durante el procesamiento de paquetes HCI, el software determina din\u00e1micamente la longitud del encabezado del paquete buscando el primer byte de identificaci\u00f3n y compar\u00e1ndolo con una tabla de longitudes posibles. La funci\u00f3n de an\u00e1lisis inicial, hciTrSerialRxIncoming, no descarta los paquetes con identificadores no v\u00e1lidos, pero tampoco establece un valor predeterminado seguro para la longitud de los encabezados de los paquetes desconocidos, lo que provoca un desbordamiento del b\u00fafer. Un atacante puede aprovechar esto para realizar una escritura arbitraria. Es posible sobrescribir el puntero a un b\u00fafer a\u00fan no asignado que se supone que debe recibir el contenido del cuerpo del paquete. Luego, se puede sobrescribir la variable de estado utilizada por la funci\u00f3n para determinar qu\u00e9 estado del an\u00e1lisis del paquete se est\u00e1 produciendo actualmente. Debido a que el b\u00fafer se asigna cuando se ha copiado el \u00faltimo byte del encabezado, la combinaci\u00f3n de tener una variable de longitud de encabezado incorrecta que nunca coincidir\u00e1 con la variable de contador y poder sobrescribir la variable de estado con el desbordamiento de b\u00fafer resultante se puede utilizar para avanzar la funci\u00f3n al siguiente paso mientras se omite la asignaci\u00f3n de b\u00fafer y la escritura del puntero resultante. Los siguientes 16 bytes del cuerpo del paquete se escriben donde sea que apunte el puntero de datos da\u00f1ado."}], "lastModified": "2024-11-25T22:15:13.517", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:arm:mbed:6.16.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C9CE74E6-6FC6-4507-A9EE-F74B3E02FCB8"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}