An issue was discovered in MBed OS 6.16.0. During processing of HCI packets, the software dynamically determines the length of the packet header by looking up the identifying first byte and matching it against a table of possible lengths. The initial parsing function, hciTrSerialRxIncoming does not drop packets with invalid identifiers but also does not set a safe default for the length of unknown packets' headers, leading to a buffer overflow. This can be leveraged into an arbitrary write by an attacker. It is possible to overwrite the pointer to a not-yet-allocated buffer that is supposed to receive the contents of the packet body. One can then overwrite the state variable used by the function to determine which state of packet parsing is currently occurring. Because the buffer is allocated when the last byte of the header has been copied, the combination of having a bad header length variable that will never match the counter variable and being able to overwrite the state variable with the resulting buffer overflow can be used to advance the function to the next step while skipping the buffer allocation and resulting pointer write. The next 16 bytes from the packet body are then written wherever the corrupted data pointer is pointing.
History

Mon, 25 Nov 2024 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Mbed
Mbed mbed
CPEs cpe:2.3:o:mbed:mbed:6.16.0:*:*:*:*:*:*:*
Vendors & Products Mbed
Mbed mbed
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 22 Nov 2024 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Arm
Arm mbed
Weaknesses CWE-120
CPEs cpe:2.3:o:arm:mbed:6.16.0:*:*:*:*:*:*:*
Vendors & Products Arm
Arm mbed
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}


Wed, 20 Nov 2024 20:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in MBed OS 6.16.0. During processing of HCI packets, the software dynamically determines the length of the packet header by looking up the identifying first byte and matching it against a table of possible lengths. The initial parsing function, hciTrSerialRxIncoming does not drop packets with invalid identifiers but also does not set a safe default for the length of unknown packets' headers, leading to a buffer overflow. This can be leveraged into an arbitrary write by an attacker. It is possible to overwrite the pointer to a not-yet-allocated buffer that is supposed to receive the contents of the packet body. One can then overwrite the state variable used by the function to determine which state of packet parsing is currently occurring. Because the buffer is allocated when the last byte of the header has been copied, the combination of having a bad header length variable that will never match the counter variable and being able to overwrite the state variable with the resulting buffer overflow can be used to advance the function to the next step while skipping the buffer allocation and resulting pointer write. The next 16 bytes from the packet body are then written wherever the corrupted data pointer is pointing.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-11-20T00:00:00

Updated: 2024-11-25T21:07:44.461Z

Reserved: 2024-10-11T00:00:00

Link: CVE-2024-48981

cve-icon Vulnrichment

Updated: 2024-11-25T21:01:45.707Z

cve-icon NVD

Status : Modified

Published: 2024-11-20T20:15:19.097

Modified: 2024-11-25T22:15:13.517

Link: CVE-2024-48981

cve-icon Redhat

No data.