Vulnerabilities¶
This page collects all of the vulnerabilities that are discovered and fixed in each release. It will also often have more details than is available in the releases. Some vulnerabilities are deemed to be sensitive, and will not be publicly discussed until there is sufficient time to fix them. Because the release notes are locked to a version, the information here can be updated after the embargo is lifted.
CVE-2017¶
CVE-2017-14199¶
Buffer overflow in getaddrinfo().
CVE-2017-14201¶
The shell DNS command can cause unpredictable results due to misuse of stack variables.
Use After Free vulnerability in the Zephyr shell allows a serial or telnet connected user to cause denial of service, and possibly remote code execution.
This has been fixed in release v1.14.0.
CVE-2017-14202¶
The shell implementation does not protect against buffer overruns resulting in unpredictable behavior.
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the shell component of Zephyr allows a serial or telnet connected user to cause a crash, possibly with arbitrary code execution.
This has been fixed in release v1.14.0.
CVE-2019¶
CVE-2019-9506¶
The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka “KNOB”) that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.
CVE-2020¶
CVE-2020-10019¶
Buffer Overflow vulnerability in USB DFU of zephyr allows a USB connected host to cause possible remote code execution.
This has been fixed in releases v1.14.2, v2.2.0, and v2.1.1.
CVE-2020-10021¶
Out-of-bounds write in USB Mass Storage with unaligned sizes
Out-of-bounds Write in the USB Mass Storage memoryWrite handler with unaligned Sizes.
See NCC-ZEP-024, NCC-ZEP-025, NCC-ZEP-026
This has been fixed in releases v1.14.2, and v2.2.0.
CVE-2020-10022¶
UpdateHub Module Copies a Variable-Size Hash String Into a Fixed-Size Array
A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could result in a denial of service in the best case, or code execution in the worst case.
See NCC-ZEP-016
This has been fixed in the below pull requests for main, branch from v2.1.0, and branch from v2.2.0.
CVE-2020-10023¶
Shell Subsystem Contains a Buffer Overflow Vulnerability In shell_spaces_trim
The shell subsystem contains a buffer overflow, whereby an adversary with physical access to the device is able to cause a memory corruption, resulting in denial of service or possibly code execution within the Zephyr kernel.
See NCC-ZEP-019
This has been fixed in releases v1.14.2, v2.2.0, and in a branch from v2.1.0,
CVE-2020-10024¶
ARM Platform Uses Signed Integer Comparison When Validating Syscall Numbers
The arm platform-specific code uses a signed integer comparison when validating system call numbers. An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel.
See NCC-ZEP-001
This has been fixed in releases v1.14.2, and v2.2.0, and in a branch from v2.1.0,
CVE-2020-10027¶
ARC Platform Uses Signed Integer Comparison When Validating Syscall Numbers
An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel.
See NCC-ZEP-001
This has been fixed in releases v1.14.2, and v2.2.0, and in a branch from v2.1.0.
CVE-2020-10028¶
Multiple Syscalls In GPIO Subsystem Performs No Argument Validation
Multiple syscalls with insufficient argument validation
See NCC-ZEP-006
This has been fixed in releases v1.14.2, and v2.2.0, and in a branch from v2.1.0.
CVE-2020-10058¶
Multiple Syscalls In kscan Subsystem Performs No Argument Validation
Multiple syscalls in the Kscan subsystem perform insufficient argument validation, allowing code executing in userspace to potentially gain elevated privileges.
See NCC-ZEP-006
This has been fixed in a branch from v2.1.0, and release v2.2.0.
CVE-2020-10059¶
UpdateHub Module Explicitly Disables TLS Verification
The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking.
See NCC-ZEP-018
This has been fixed in a PR against Zephyr main.
CVE-2020-10060¶
UpdateHub Might Dereference An Uninitialized Pointer
In updatehub_probe, right after JSON parsing is complete, objects[1] is accessed from the output structure in two different places. If the JSON contained less than two elements, this access would reference unitialized stack memory. This could result in a crash, denial of service, or possibly an information leak.
Recommend disabling updatehub until such a time as a fix can be made available.
See NCC-ZEP-030
This has been fixed in a PR against Zephyr main.
CVE-2020-10061¶
Error handling invalid packet sequence
Improper handling of the full-buffer case in the Zephyr Bluetooth implementation can result in memory corruption.
This has been fixed in branches for v1.14.0, v2.2.0, and will be included in v2.3.0.
CVE-2020-10062¶
Packet length decoding error in MQTT
CVE: An off-by-one error in the Zephyr project MQTT packet length decoder can result in memory corruption and possible remote code execution. NCC-ZEP-031
The MQTT packet header length can be 1 to 4 bytes. An off-by-one error in the code can result in this being interpreted as 5 bytes, which can cause an integer overflow, resulting in memory corruption.
This has been fixed in main for v2.3.
CVE-2020-10063¶
Remote Denial of Service in CoAP Option Parsing Due To Integer Overflow
A remote adversary with the ability to send arbitrary CoAP packets to be parsed by Zephyr is able to cause a denial of service.
This has been fixed in main for v2.3.
CVE-2020-10064¶
Improper Input Frame Validation in ieee802154 Processing
CVE-2020-10065¶
OOB Write after not validating user-supplied length (<= 0xffff) and copying to fixed-size buffer (default: 77 bytes) for HCI_ACL packets in bluetooth HCI over SPI driver.
This issue has not been fixed.
CVE-2020-10066¶
Incorrect Error Handling in Bluetooth HCI core
In hci_cmd_done, the buf argument being passed as null causes nullpointer dereference.
CVE-2020-10067¶
Integer Overflow In is_in_region Allows User Thread To Access Kernel Memory
A malicious userspace application can cause a integer overflow and bypass security checks performed by system call handlers. The impact would depend on the underlying system call and can range from denial of service to information leak to memory corruption resulting in code execution within the kernel.
See NCC-ZEP-005
This has been fixed in releases v1.14.2, and v2.2.0.
CVE-2020-10068¶
Zephyr Bluetooth DLE duplicate requests vulnerability
In the Zephyr project Bluetooth subsystem, certain duplicate and back-to-back packets can cause incorrect behavior, resulting in a denial of service.
This has been fixed in branches for v1.14.0, v2.2.0, and will be included in v2.3.0.
CVE-2020-10069¶
Zephyr Bluetooth unchecked packet data results in denial of service
An unchecked parameter in bluetooth data can result in an assertion failure, or division by zero, resulting in a denial of service attack.
This has been fixed in branches for v1.14.0, v2.2.0, and will be included in v2.3.0.
CVE-2020-10070¶
MQTT buffer overflow on receive buffer
In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-ZEP-031
When calculating the packet length, arithmetic overflow can result in accepting a receive buffer larger than the available buffer space, resulting in user data being written beyond this buffer.
This has been fixed in main for v2.3.
CVE-2020-10071¶
Insufficient publish message length validation in MQTT
The Zephyr MQTT parsing code performs insufficient checking of the length field on publish messages, allowing a buffer overflow and potentially remote code execution. NCC-ZEP-031
This has been fixed in main for v2.3.
CVE-2020-10072¶
All threads can access all socket file descriptors
There is no management of permissions to network socket API file descriptors. Any thread running on the system may read/write a socket file descriptor knowing only the numerical value of the file descriptor.
CVE-2020-10136¶
IP-in-IP protocol routes arbitrary traffic by default zephyrproject
CVE-2020-13598¶
FS: Buffer Overflow when enabling Long File Names in FAT_FS and calling fs_stat
Performing fs_stat on a file with a filename longer than 12 characters long will cause a buffer overflow.
CVE-2020-13599¶
Security problem with settings and littlefs
When settings is used in combination with littlefs all security related information can be extracted from the device using MCUmgr and this could be used e.g in bt-mesh to get the device key, network key, app keys from the device.
CVE-2020-13600¶
Malformed SPI in response for eswifi can corrupt kernel memory
CVE-2020-13601¶
Possible read out of bounds in dns read
CVE-2020-13602¶
Remote Denial of Service in LwM2M do_write_op_tlv
In the Zephyr LwM2M implementation, malformed input can result in an infinite loop, resulting in a denial of service attack.
CVE-2020-13603¶
Possible overflow in mempool
Zephyr offers pre-built ‘malloc’ wrapper function instead.
The ‘malloc’ function is wrapper for the ‘sys_mem_pool_alloc’ function
sys_mem_pool_alloc allocates ‘size + WB_UP(sizeof(struct sys_mem_pool_block))’ in an unsafe manner.
Asking for very large size values leads to internal integer wrap-around.
Integer wrap-around leads to successful allocation of very small memory.
For example: calling malloc(0xffffffff) leads to successful allocation of 7 bytes.
That leads to heap overflow.
CVE-2021¶
CVE-2021-3320¶
Mismatch between validation and handling of 802154 ACK frames, where ACK frames are considered during validation, but not during actual processing, leading to a type confusion.
CVE-2021-3321¶
Incomplete check of minimum IEEE 802154 fragment size leading to an integer underflow.
CVE-2021-3323¶
Integer Underflow in 6LoWPAN IPHC Header Uncompression
This issue has not been fixed.
CVE-2021-3430¶
Assertion reachable with repeated LL_CONNECTION_PARAM_REQ.
This has been fixed in main for v2.6.0
CVE-2021-3431¶
BT: Assertion failure on repeated LL_FEATURE_REQ
This has been fixed in main for v2.6.0
CVE-2021-3432¶
Invalid interval in CONNECT_IND leads to Division by Zero
This has been fixed in main for v2.6.0
CVE-2021-3433¶
BT: Invalid channel map in CONNECT_IND results to Deadlock
This has been fixed in main for v2.6.0
CVE-2021-3434¶
L2CAP: Stack based buffer overflow in le_ecred_conn_req()
This has been fixed in main for v2.6.0
CVE-2021-3435¶
L2CAP: Information leakage in le_ecred_conn_req()
This has been fixed in main for v2.6.0
CVE-2021-3454¶
Truncated L2CAP K-frame causes assertion failure
For example, sending L2CAP K-frame where SDU length field is truncated to only one byte, causes assertion failure in previous releases of Zephyr. This has been fixed in master by commit 0ba9437 but has not yet been backported to older release branches.
This has been fixed in main for v2.6.0
CVE-2021-3455¶
Disconnecting L2CAP channel right after invalid ATT request leads freeze
When Central device connects to peripheral and creates L2CAP connection for Enhanced ATT, sending some invalid ATT request and disconnecting immediately causes freeze.
This has been fixed in main for v2.6.0
CVE-2021-3581¶
Under embargo until 2021/09/04