CVE-2021

CVE 2021-3319

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses

Improper processing of omitted source and destination addresses in ieee802154 frame validation (ieee802154_validate_frame)

This has been fixed in main for v2.5.0

• Zephyr project bug tracker GHSA-94jg-2p6q-5364

• PR31908 fix for main

CVE 2021-3320

Mismatch between validation and handling of 802154 ACK frames, where ACK frames are considered during validation, but not during actual processing, leading to a type confusion.

• PR31908 fix for main

CVE 2021-3321

Incomplete check of minimum IEEE 802154 fragment size leading to an integer underflow.

• Zephyr project bug tracker ZEPSEC-114

• PR33453 fix for v2.4

CVE 2021-3323

Integer Underflow in 6LoWPAN IPHC Header Uncompression

This has been fixed in main for v2.5.0

• Zephyr project bug tracker GHSA-89j6-qpxf-pfpc

• PR 31971 fix for main

CVE 2021-3430

Assertion reachable with repeated LL_CONNECTION_PARAM_REQ.

This has been fixed in main for v2.6.0

• Zephyr project bug tracker GHSA-46h3-hjcq-2jjr

• PR 33272 fix for main

• PR 33369 fix for 2.5

• PR 33759 fix for 1.14.2

CVE 2021-3431

BT: Assertion failure on repeated LL_FEATURE_REQ

This has been fixed in main for v2.6.0

• Zephyr project bug tracker GHSA-7548-5m6f-mqv9

• PR 33340 fix for main

• PR 33369 fix for 2.5

CVE 2021-3432

Invalid interval in CONNECT_IND leads to Division by Zero

This has been fixed in main for v2.6.0

• Zephyr project bug tracker GHSA-7364-p4wc-8mj4

• PR 33278 fix for main

• PR 33369 fix for 2.5

CVE 2021-3433

BT: Invalid channel map in CONNECT_IND results to Deadlock

This has been fixed in main for v2.6.0

• Zephyr project bug tracker GHSA-3c2f-w4v6-qxrp

• PR 33278 fix for main

• PR 33369 fix for 2.5

CVE 2021-3434

L2CAP: Stack based buffer overflow in le_ecred_conn_req()

This has been fixed in main for v2.6.0

• Zephyr project bug tracker GHSA-8w87-6rfp-cfrm

• PR 33305 fix for main

• PR 33419 fix for 2.5

• PR 33418 fix for 1.14.2

CVE 2021-3435

L2CAP: Information leakage in le_ecred_conn_req()

This has been fixed in main for v2.6.0

• Zephyr project bug tracker GHSA-xhg3-gvj6-4rqh

• PR 33305 fix for main

• PR 33419 fix for 2.5

• PR 33418 fix for 1.14.2

CVE 2021-3436

Bluetooth: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known

During the distribution of the identity address information we don’t check for an existing bond with the same identity address.This means that a duplicate entry will be created in RAM while the newest entry will overwrite the existing one in persistent storage.

This has been fixed in main for v2.6.0

• Zephyr project bug tracker GHSA-j76f-35mc-4h63

• PR 33266 fix for main

• PR 33432 fix for 2.5

• PR 33433 fix for 2.4

• PR 33718 fix for 1.14.2

CVE 2021-3454

Truncated L2CAP K-frame causes assertion failure

For example, sending L2CAP K-frame where SDU length field is truncated to only one byte, causes assertion failure in previous releases of Zephyr. This has been fixed in master by commit 0ba9437 but has not yet been backported to older release branches.

This has been fixed in main for v2.6.0

• Zephyr project bug tracker GHSA-fx88-6c29-vrp3

• PR 32588 fix for main

• PR 33513 fix for 2.5

• PR 33514 fix for 2.4

CVE 2021-3455

Disconnecting L2CAP channel right after invalid ATT request leads freeze

When Central device connects to peripheral and creates L2CAP connection for Enhanced ATT, sending some invalid ATT request and disconnecting immediately causes freeze.

This has been fixed in main for v2.6.0

• Zephyr project bug tracker GHSA-7g38-3x9v-v7vp

• PR 35597 fix for main

• PR 36104 fix for 2.5

• PR 36105 fix for 2.4

CVE 2021-3510

Zephyr JSON decoder incorrectly decodes array of array

When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token type JSON_TOK_LIST_START, but then assigns to the object part of the union. arr_parse then takes the offset of the array-object (which has nothing todo with the list) treats it as relative to the parent object, and stores the length of the subarray in there.

This has been fixed in main for v2.7.0

• Zephyr project bug tracker GHSA-289f-7mw3-2qf4

• PR 36340 fix for main

• PR 37816 fix for 2.6

CVE 2021-3581

HCI data not properly checked leads to memory overflow in the Bluetooth stack

In the process of setting SCAN_RSP through the HCI command, the Zephyr Bluetooth protocol stack did not effectively check the length of the incoming HCI data. Causes memory overflow, and then the data in the memory is overwritten, and may even cause arbitrary code execution.

This has been fixed in main for v2.6.0

• Zephyr project bug tracker GHSA-8q65-5gqf-fmw5

• PR 35935 fix for main

• PR 35984 fix for 2.5

• PR 35985 fix for 2.4

• PR 35985 fix for 1.14

CVE 2021-3625

Buffer overflow in Zephyr USB DFU DNLOAD

This has been fixed in main for v2.6.0

• Zephyr project bug tracker GHSA-c3gr-hgvr-f363

• PR 36694 fix for main

CVE 2021-3835

Buffer overflow in Zephyr USB device class

This has been fixed in main for v3.0.0

• Zephyr project bug tracker GHSA-fm6v-8625-99jf

• PR 42093 fix for main

• PR 42167 fix for 2.7

CVE 2021-3861

Buffer overflow in the RNDIS USB device class

This has been fixed in main for v3.0.0

• Zephyr project bug tracker GHSA-hvfp-w4h8-gxvj

• PR 39725 fix for main

CVE 2021-3966

Usb bluetooth device ACL read cb buffer overflow

This has been fixed in main for v3.0.0

• Zephyr project bug tracker GHSA-hfxq-3w6x-fv2m

• PR 42093 fix for main

• PR 42167 fix for v2.7.0