Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4424: bt: hci: DoS and possible RCE

An malicious BLE device can cause buffer overflow by sending malformed advertising packet BLE device using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.

CVE
#vulnerability#rce#perl#buffer_overflow

Summary

The function le_advertising_report in /subsys/bluetooth/controller/hci/hci.c does not process the
advertising packet properly when copying data.
An malicious bLE device can cause buffer overflow by sending malformed advertising packet BLE device
using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.

Details

The code that cause buffer overflow is function le_advertising_report in
/subsys/bluetooth/controller/hci/hci.c.
In the following code, there are three lines of code that are the main causes of buffer overflow, labeled as
(1) and (2).

static void le_advertising_report(struct pdu_data *pdu_data, struct node_rx_pdu *node_rx, struct net_buf *buf) { const uint8_t c_adv_type[] = { 0x00, 0x01, 0x03, 0xff, 0x04, 0xff, 0x02 }; struct bt_hci_evt_le_advertising_report *sep; struct pdu_adv *adv = (void *)pdu_data; struct bt_hci_evt_le_advertising_info *adv_info;uint8_t data_len; uint8_t info_len; int8_t rssi; … if (adv->type != PDU_ADV_TYPE_DIRECT_IND) { // (1) - Integer overflow data_len = (adv->len - BDADDR_SIZE); } else { data_len = 0U; } info_len = sizeof(struct bt_hci_evt_le_advertising_info) + data_len + sizeof(*prssi); sep = meta_evt(buf, BT_HCI_EVT_LE_ADVERTISING_REPORT, sizeof(*sep) + info_len); … adv_info = (void *)(((uint8_t *)sep) + sizeof(*sep)); … adv_info->length = data_len; // (2) - Buffer overflow memcpy(&adv_info->data[0], &adv->adv_ind.data[0], data_len); … }

(1) - Integer overflow
The value of adv->len is 1 and BDADDR_SIZE is equal to 6.
Since the type of data_len is uint8_t, the result of (adv->len - BDADDR_SIZE) will finally equal to
251 and save it into data_len . This is obviously an integer overflow, the value of adv->len should
be checked before this line.(2) - Buffer overflow
In this case, when I was debugging with central_hr with gdb, I saw the maximum size of buf is 45, so
copy 251 bytes into &adv_info->data[0] will definitely lead to buffer overflow

le_mesh_scan_report and le_ext_adv_legacy_report in /subsys/bluetooth/controller/hci/hci.c have
same vulnerable code pattern like le_advertising_report . I also observed buffer overflow occurring in
le_ext_adv_legacy_report , but it did not trigger a crash. The reason for this is that overflow data does
not overwrite data used by other functions.
Although these two functions did not trigger a crash during my tests, it should still be considered as
vulnerabilities. Since data layout depends on configuration, buffer overflow may triggered under certain
configuration.

Impact

An malicious bLE device can cause buffer overflow by sending malformed advertising packet BLE device
using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.

Patches

main: #61651
2.7: #61694
3.3: #61695
3.4: #61696

For more information

If you have any questions or comments about this advisory:

Open an issue in zephyr
Email us at Zephyr-vulnerabilities
embargo: 2023-11-01

Credits

Reported by Wei Che Kao (Xiaobye), graduate student from National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907