CVE-2020

CVE 2020-10019

Buffer Overflow vulnerability in USB DFU of zephyr allows a USB connected host to cause possible remote code execution.

This has been fixed in releases v1.14.2, v2.2.0, and v2.1.1.

• Zephyr project bug tracker ZEPSEC-25

• PR23460 fix for 1.14.x

• PR23457 fix for 2.1.x

• PR23190 fix in 2.2.0

CVE 2020-10021

Out-of-bounds write in USB Mass Storage with unaligned sizes

Out-of-bounds Write in the USB Mass Storage memoryWrite handler with unaligned Sizes.

See NCC-ZEP-024, NCC-ZEP-025, NCC-ZEP-026

This has been fixed in releases v1.14.2, and v2.2.0.

• Zephyr project bug tracker ZEPSEC-26

• PR23455 fix for v1.14.2

• PR23456 fix for the v2.1 branch

• PR23240 fix for v2.2.0

CVE 2020-10022

UpdateHub Module Copies a Variable-Size Hash String Into a Fixed-Size Array

A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could result in a denial of service in the best case, or code execution in the worst case.

See NCC-ZEP-016

This has been fixed in the below pull requests for main, branch from v2.1.0, and branch from v2.2.0.

• Zephyr project bug tracker ZEPSEC-28

• PR24154 fix for main

• PR24065 fix for branch from v2.1.0

• PR24066 fix for branch from v2.2.0

CVE 2020-10023

Shell Subsystem Contains a Buffer Overflow Vulnerability In shell_spaces_trim

The shell subsystem contains a buffer overflow, whereby an adversary with physical access to the device is able to cause a memory corruption, resulting in denial of service or possibly code execution within the Zephyr kernel.

See NCC-ZEP-019

This has been fixed in releases v1.14.2, v2.2.0, and in a branch from v2.1.0,

• Zephyr project bug tracker ZEPSEC-29

• PR23646 fix for v1.14.2

• PR23649 fix for branch from v2.1.0

• PR23304 fix for v2.2.0

CVE 2020-10024

ARM Platform Uses Signed Integer Comparison When Validating Syscall Numbers

The arm platform-specific code uses a signed integer comparison when validating system call numbers. An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel.

See NCC-ZEP-001

This has been fixed in releases v1.14.2, and v2.2.0, and in a branch from v2.1.0,

• Zephyr project bug tracker ZEPSEC-30

• PR23535 fix for v1.14.2

• PR23498 fix for branch from v2.1.0

• PR23323 fix for v2.2.0

CVE 2020-10027

ARC Platform Uses Signed Integer Comparison When Validating Syscall Numbers

An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel.

See NCC-ZEP-001

This has been fixed in releases v1.14.2, and v2.2.0, and in a branch from v2.1.0.

• Zephyr project bug tracker ZEPSEC-35

• PR23500 fix for v1.14.2

• PR23499 fix for branch from v2.1.0

• PR23328 fix for v2.2.0

CVE 2020-10028

Multiple Syscalls In GPIO Subsystem Performs No Argument Validation

Multiple syscalls with insufficient argument validation

See NCC-ZEP-006

This has been fixed in releases v1.14.2, and v2.2.0, and in a branch from v2.1.0.

• Zephyr project bug tracker ZEPSEC-32

• PR23733 fix for v1.14.2

• PR23737 fix for branch from v2.1.0

• PR23308 fix for v2.2.0 (gpio patch)

CVE 2020-10058

Multiple Syscalls In kscan Subsystem Performs No Argument Validation

Multiple syscalls in the Kscan subsystem perform insufficient argument validation, allowing code executing in userspace to potentially gain elevated privileges.

See NCC-ZEP-006

This has been fixed in a branch from v2.1.0, and release v2.2.0.

• Zephyr project bug tracker ZEPSEC-34

• PR23748 fix for branch from v2.1.0

• PR23308 fix for v2.2.0 (kscan patch)

CVE 2020-10059

UpdateHub Module Explicitly Disables TLS Verification

The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking.

See NCC-ZEP-018

This has been fixed in a PR against Zephyr main.

• Zephyr project bug tracker ZEPSEC-36

• PR24954 fix on main (to be fixed in v2.3.0)

• PR24954 fix v2.1.0

• PR24954 fix v2.2.0

CVE 2020-10060

UpdateHub Might Dereference An Uninitialized Pointer

In updatehub_probe, right after JSON parsing is complete, objects[1] is accessed from the output structure in two different places. If the JSON contained less than two elements, this access would reference uninitialized stack memory. This could result in a crash, denial of service, or possibly an information leak.

Recommend disabling updatehub until such a time as a fix can be made available.

See NCC-ZEP-030

This has been fixed in a PR against Zephyr main.

• Zephyr project bug tracker ZEPSEC-37

• PR27865 fix on main (to be fixed in v2.4.0)

• PR27865 fix for v2.3.0

• PR27865 fix for v2.2.0

• PR27865 fix for v2.1.0

CVE 2020-10061

Error handling invalid packet sequence

Improper handling of the full-buffer case in the Zephyr Bluetooth implementation can result in memory corruption.

This has been fixed in branches for v1.14.0, v2.2.0, and will be included in v2.3.0.

• Zephyr project bug tracker ZEPSEC-75

• PR23516 fix for v2.3 (split driver)

• PR23517 fix for v2.3 (legacy driver)

• PR23091 fix for branch from v1.14.0

• PR23547 fix for branch from v2.2.0

CVE 2020-10062

Packet length decoding error in MQTT

CVE: An off-by-one error in the Zephyr project MQTT packet length decoder can result in memory corruption and possible remote code execution. NCC-ZEP-031

The MQTT packet header length can be 1 to 4 bytes. An off-by-one error in the code can result in this being interpreted as 5 bytes, which can cause an integer overflow, resulting in memory corruption.

This has been fixed in main for v2.3.

• Zephyr project bug tracker ZEPSEC-84

• commit 11b7a37d for v2.3

• NCC-ZEP report (NCC-ZEP-031)

CVE 2020-10063

Remote Denial of Service in CoAP Option Parsing Due To Integer Overflow

A remote adversary with the ability to send arbitrary CoAP packets to be parsed by Zephyr is able to cause a denial of service.

This has been fixed in main for v2.3.

• Zephyr project bug tracker ZEPSEC-55

• PR24435 fix in main for v2.3

• PR24531 fix for branch from v2.2

• PR24535 fix for branch from v2.1

• PR24530 fix for branch from v1.14

• NCC-ZEP report (NCC-ZEP-032)

CVE 2020-10064

Improper Input Frame Validation in ieee802154 Processing

• Zephyr project bug tracker ZEPSEC-65

• PR24971 fix for v2.4

• PR33451 fix for v1.4

CVE 2020-10065

OOB Write after not validating user-supplied length (<= 0xffff) and copying to fixed-size buffer (default: 77 bytes) for HCI_ACL packets in bluetooth HCI over SPI driver.

• Zephyr project bug tracker ZEPSEC-66

• This issue has not been fixed.

CVE 2020-10066

Incorrect Error Handling in Bluetooth HCI core

In hci_cmd_done, the buf argument being passed as null causes nullpointer dereference.

• Zephyr project bug tracker ZEPSEC-67

• PR24902 fix for v2.4

• PR25089 fix for v1.4

CVE 2020-10067

Integer Overflow In is_in_region Allows User Thread To Access Kernel Memory

A malicious userspace application can cause a integer overflow and bypass security checks performed by system call handlers. The impact would depend on the underlying system call and can range from denial of service to information leak to memory corruption resulting in code execution within the kernel.

See NCC-ZEP-005

This has been fixed in releases v1.14.2, and v2.2.0.

• Zephyr project bug tracker ZEPSEC-27

• PR23653 fix for v1.14.2

• PR23654 fix for the v2.1 branch

• PR23239 fix for v2.2.0

CVE 2020-10068

Zephyr Bluetooth DLE duplicate requests vulnerability

In the Zephyr project Bluetooth subsystem, certain duplicate and back-to-back packets can cause incorrect behavior, resulting in a denial of service.

This has been fixed in branches for v1.14.0, v2.2.0, and will be included in v2.3.0.

• Zephyr project bug tracker ZEPSEC-78

• PR23707 fix for v2.3 (split driver)

• PR23708 fix for v2.3 (legacy driver)

• PR23091 fix for branch from v1.14.0

• PR23964 fix for v2.2.0

CVE 2020-10069

Zephyr Bluetooth unchecked packet data results in denial of service

An unchecked parameter in bluetooth data can result in an assertion failure, or division by zero, resulting in a denial of service attack.

This has been fixed in branches for v1.14.0, v2.2.0, and will be included in v2.3.0.

• Zephyr project bug tracker ZEPSEC-81

• PR23705 fix for v2.3 (split driver)

• PR23706 fix for v2.3 (legacy driver)

• PR23091 fix for branch from v1.14.0

• PR23963 fix for branch from v2.2.0

CVE 2020-10070

MQTT buffer overflow on receive buffer

In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-ZEP-031

When calculating the packet length, arithmetic overflow can result in accepting a receive buffer larger than the available buffer space, resulting in user data being written beyond this buffer.

This has been fixed in main for v2.3.

• Zephyr project bug tracker ZEPSEC-85

• commit 0b39cbf3 for v2.3

• NCC-ZEP report (NCC-ZEP-031)

CVE 2020-10071

Insufficient publish message length validation in MQTT

The Zephyr MQTT parsing code performs insufficient checking of the length field on publish messages, allowing a buffer overflow and potentially remote code execution. NCC-ZEP-031

This has been fixed in main for v2.3.

• Zephyr project bug tracker ZEPSEC-86

• commit 989c4713 fix for v2.3

• NCC-ZEP report (NCC-ZEP-031)

CVE 2020-10072

All threads can access all socket file descriptors

There is no management of permissions to network socket API file descriptors. Any thread running on the system may read/write a socket file descriptor knowing only the numerical value of the file descriptor.

• Zephyr project bug tracker ZEPSEC-87

• PR25804 fix for v2.4

• PR27176 fix for v1.4

CVE 2020-10136

IP-in-IP protocol routes arbitrary traffic by default zephyrproject

• Zephyr project bug tracker ZEPSEC-64

CVE 2020-13598

FS: Buffer Overflow when enabling Long File Names in FAT_FS and calling fs_stat

Performing fs_stat on a file with a filename longer than 12 characters long will cause a buffer overflow.

• Zephyr project bug tracker ZEPSEC-88

• PR25852 fix for v2.4

• PR28782 fix for v2.3

• PR33577 fix for v1.4

CVE 2020-13599

Security problem with settings and littlefs

When settings is used in combination with littlefs all security related information can be extracted from the device using MCUmgr and this could be used e.g in bt-mesh to get the device key, network key, app keys from the device.

• Zephyr project bug tracker ZEPSEC-57

• PR26083 fix for v2.4

CVE 2020-13600

Malformed SPI in response for eswifi can corrupt kernel memory

• Zephyr project bug tracker ZEPSEC-91

• PR26712 fix for v2.4

CVE 2020-13601

Possible read out of bounds in dns read

• Zephyr project bug tracker ZEPSEC-92

• PR27774 fix for v2.4

• PR30503 fix for v1.4

CVE 2020-13602

Remote Denial of Service in LwM2M do_write_op_tlv

In the Zephyr LwM2M implementation, malformed input can result in an infinite loop, resulting in a denial of service attack.

• Zephyr project bug tracker ZEPSEC-56

• PR26571 fix for v2.4

• PR33578 fix for v1.4

CVE 2020-13603

Possible overflow in mempool

• Zephyr offers pre-built ‘malloc’ wrapper function instead.

• The ‘malloc’ function is wrapper for the ‘sys_mem_pool_alloc’ function

• sys_mem_pool_alloc allocates ‘size + WB_UP(sizeof(struct sys_mem_pool_block))’ in an unsafe manner.

• Asking for very large size values leads to internal integer wrap-around.

• Integer wrap-around leads to successful allocation of very small memory.

• For example: calling malloc(0xffffffff) leads to successful allocation of 7 bytes.

• That leads to heap overflow.

• Zephyr project bug tracker ZEPSEC-111

• PR31796 fix for v2.4

• PR32808 fix for v1.4