In the Android kernel in VPN routing there is a possible information disclosure. This could lead to remote information disclosure by an adjacent network attacker with no additional execution privileges needed. User interaction is not needed for exploitation.

_Published September 3, 2019 | Updated September 12, 2019_

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices (Google devices). For Google devices, security patch levels of 2019-09-05 or later address all issues in this bulletin and all issues in the September 2019 Android Security Bulletin. To learn how to check a device's security patch level, see Check & update your Android version.

All supported Google devices will receive an update to the 2019-09-05 patch level. We encourage all customers to accept these updates for their devices.

**Announcements**

In addition to the security vulnerabilities described in the September 2019 Android Security Bulletin, supported Google devices that are updated to Android 10 also contain patches for the security vulnerabilities described in this bulletin. Partners were notified that these issues are addressed in Android 10.

**Security patches**

The following tables include security patches that are addressed on Pixel devices with Android 10. Vulnerabilities are grouped under the component that they affect. Issues are described in the below tables and include CVE ID, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Broadcom components**

    

CVE

References

Type

Severity

Component

CVE-2019-9426

A-110460199\*

EoP

Moderate

Bluetooth

**LG components**

    

CVE

References

Type

Severity

Component

CVE-2019-9436

A-127320561\*

EoP

Moderate

Bootloader

CVE-2019-2191

A-68770980\*

ID

Moderate

Bootloader

CVE-2019-2190

A-68771598\*

ID

Moderate

Bootloader

**Kernel components**

    

CVE

References

Type

Severity

Component

CVE-2019-9345

A-27915347\*

EoP

High

Kernel

CVE-2019-9461

A-120209610\*

ID

High

VPN

CVE-2019-9248

A-120279144\*

EoP

Moderate

Touch driver

CVE-2019-9270

A-65123745\*

EoP

Moderate

Wi-Fi

CVE-2019-2182

A-128700140  
Upstream kernel

EoP

Moderate

Kernel MMU

CVE-2019-9271

A-69006201\*

EoP

Moderate

MNH driver

CVE-2019-9273

A-70241598\*

EoP

Moderate

Touch driver

CVE-2019-9274

A-70809925\*

EoP

Moderate

MNH driver

CVE-2019-9275

A-71508439\*

EoP

Moderate

MNH driver

CVE-2019-9276

A-70294179\*

EoP

Moderate

Touch driver

CVE-2019-9441

A-69006882\*

EoP

Moderate

MNH driver

CVE-2019-9442

A-69808778\*

EoP

Moderate

MNH driver

CVE-2019-9443

A-70896844\*

EoP

Moderate

VL53L0 driver

CVE-2019-9446

A-118617506\*

EoP

Moderate

Touch driver

CVE-2019-9447

A-119120571  
Upstream kernel

EoP

Moderate

Touch driver

CVE-2019-9448

A-120141999  
Upstream kernel

EoP

Moderate

Touch driver

CVE-2019-9450

A-120141034  
Upstream kernel

EoP

Moderate

Touch driver

CVE-2019-9451

A-120211415  
Upstream kernel

EoP

Moderate

Touch driver

CVE-2019-9454

A-129148475  
Upstream kernel

EoP

Moderate

I2C driver

CVE-2019-9456

A-71362079  
Upstream kernel

EoP

Moderate

USB driver

CVE-2019-9457

A-116716935  
Upstream kernel

EoP

Moderate

Kernel

CVE-2019-9458

A-117989855  
Upstream kernel

EoP

Moderate

Video driver

CVE-2019-8912

A-125367761  
Upstream kernel

EoP

Moderate

Crypto

CVE-2018-18397

A-124036248  
Upstream kernel

EoP

Moderate

Storage

CVE-2018-14614

A-116406552  
Upstream kernel

EoP

Moderate

Storage

CVE-2018-1000199

A-110918800  
Upstream kernel

EoP

Moderate

ptrace

CVE-2018-13096

A-113148557  
Upstream kernel

EoP

Moderate

Storage

CVE-2018-5803

A-112406370  
Upstream kernel

DoS

Moderate

SCTP

CVE-2019-2189

A-112312381

EoP

Moderate

Image driver

CVE-2019-2188

A-112309571\*

EoP

Moderate

Image driver

CVE-2017-16939

A-70521013  
Upstream kernel

EoP

Moderate

Netlink XFRM

CVE-2018-20169

A-120783657  
Upstream kernel

ID

Moderate

USB driver

CVE-2019-9245

A-120491338  
Upstream kernel

ID

Moderate

Storage driver

CVE-2019-9444

A-78597155  
Upstream kernel

ID

Moderate

Storage driver

CVE-2019-9445

A-118153030  
Upstream kernel

ID

Moderate

Storage driver

CVE-2019-9449

A-120141031  
Upstream kernel

ID

Moderate

Touch driver

CVE-2019-9452

A-120211708  
Upstream kernel

ID

Moderate

Touch driver

CVE-2019-9453

A-126558260  
Upstream kernel

ID

Moderate

Storage driver

CVE-2019-9455

A-121035792  
Upstream kernel

ID

Moderate

Video driver

CVE-2018-19985

A-131963918  
Upstream kernel

ID

Moderate

USB driver

CVE-2018-20511

A-123742046  
Upstream kernel

ID

Moderate

nNet/AppleTalk

CVE-2018-1000204

A-113096593  
Upstream kernel

ID

Moderate

Storage

**Qualcomm components**

    

CVE

References

Type

Severity

Component

CVE-2017-14888

A-70237718  
QC-CR#2119729

N/A

Moderate

WLAN host

CVE-2018-3573

A-72957667  
QC-CR#2124525

N/A

Moderate

Bootloader

CVE-2017-15844

A-67749071  
QC-CR#2127276

N/A

Moderate

Kernel

CVE-2018-3574

A-72957321  
QC-CR#2148121 \[2\] \[3\]

N/A

Moderate

Kernel

CVE-2018-5861

A-77527684  
QC-CR#2167135

N/A

Moderate

Bootloader

CVE-2018-11302

A-109741923  
QC-CR#2209355

N/A

Moderate

WLAN host

CVE-2018-5919

A-65423852  
QC-CR#2213280

N/A

Moderate

WLAN host

CVE-2018-11818

A-111127974  
QC-CR#2170083 \[2\]

N/A

Moderate

MDSS driver

CVE-2018-11832

A-111127793  
QC-CR#2212896

N/A

Moderate

Kernel

CVE-2018-11893

A-111127990  
QC-CR#2231992

N/A

Moderate

WLAN host

CVE-2018-11919

A-79217930  
QC-CR#2209134 \[2\] \[3\]

N/A

Moderate

Kernel

CVE-2018-11939

A-77237693  
QC-CR#2254305

N/A

Moderate

WLAN host

CVE-2018-11823

A-112277122  
QC-CR#2204519

N/A

Moderate

Power

CVE-2018-11929

A-112277631  
QC-CR#2231300

N/A

Moderate

WLAN host

CVE-2018-11943

A-72117228  
QC-CR#2257823

N/A

Moderate

Bootloader

CVE-2018-11947

A-112277911  
QC-CR#2246110 \[2\]

N/A

Moderate

WLAN host

CVE-2018-11947

A-112278406  
QC-CR#2272696

N/A

Moderate

WLAN host

CVE-2018-11942

A-112278151  
QC-CR#2257688

N/A

Moderate

WLAN host

CVE-2018-11983

A-80095430  
QC-CR#2262576

N/A

Moderate

Kernel

CVE-2018-11984

A-80435805  
QC-CR#2266693

N/A

Moderate

Kernel

CVE-2018-11987

A-70638103  
QC-CR#2258691

N/A

Moderate

Kernel

CVE-2018-11985

A-114041193  
QC-CR#2163851

N/A

Moderate

Bootloader

CVE-2018-11988

A-114041748  
QC-CR#2172134 \[2\]

N/A

Moderate

Kernel

CVE-2018-11986

A-62916765  
QC-CR#2266969

N/A

Moderate

Camera

CVE-2018-12010

A-62711756  
QC-CR#2268386

N/A

Moderate

Kernel

CVE-2018-12006

A-77237704  
QC-CR#2257685 \[2\]

N/A

Moderate

Display

CVE-2018-13893

A-80302295  
QC-CR#2291309 \[2\]

N/A

Moderate

diag\_mask

CVE-2018-12011

A-109697864  
QC-CR#2274853

N/A

Moderate

Kernel

CVE-2018-13912

A-119053502  
QC-CR#2283160 \[2\]

N/A

Moderate

Camera

CVE-2018-13913

A-119053530  
QC-CR#2286485 \[2\]

N/A

Moderate

Display

CVE-2018-3564

A-119052383  
QC-CR#2225279

N/A

Moderate

DSP services

CVE-2019-2248

A-122474006  
QC-CR#2328906

N/A

Moderate

Display

CVE-2019-2277

A-127512945  
QC-CR#2342812

N/A

Moderate

WLAN host

CVE-2019-2263

A-116024809  
QC-CR#2076623

N/A

Moderate

Kernel

CVE-2019-2345

A-110849476  
QC-CR#2115578

N/A

Moderate

Camera

CVE-2019-2306

A-115907574  
QC-CR#2337383 \[2\]

N/A

Moderate

Display

CVE-2019-2299

A-117988970  
QC-CR#2243169

N/A

Moderate

WLAN host

CVE-2019-2312

A-117885392  
QC-CR#2341890

N/A

Moderate

WLAN host

CVE-2019-2314

A-120028144  
QC-CR#2357704

N/A

Moderate

Display

CVE-2019-2314

A-120029095  
QC-CR#2357704

N/A

Moderate

Display

CVE-2019-2302

A-130565935  
QC-CR#2300516

N/A

Moderate

WLAN host

CVE-2019-10506

A-117885703  
QC-CR#2252793

N/A

Moderate

WLAN host

CVE-2018-13890

A-111274306  
QC-CR#2288818

N/A

Moderate

WLAN host

CVE-2019-10507

A-132170503  
QC-CR#2253396

N/A

Moderate

WLAN host

CVE-2019-10508

A-132173922  
QC-CR#2288818

N/A

Moderate

WLAN host

CVE-2019-2284

A-132173427  
QC-CR#2358765

N/A

Moderate

Camera

CVE-2019-2333

A-132171964  
QC-CR#2381014 \[2\] \[3\]

N/A

Moderate

Kernel

CVE-2019-2341

A-132172264  
QC-CR#2389324 \[2\]

N/A

Moderate

Audio

CVE-2019-10497

A-132173298  
QC-CR#2395102

N/A

Moderate

Audio

CVE-2019-10542

A-134440623  
QC-CR#2359884

N/A

Moderate

WLAN host

CVE-2019-10502

A-134441002  
QC-CR#2401297 \[2\] \[3\]

N/A

Moderate

Camera

CVE-2019-10528

A-63528466  
QC-CR#2133028 \[2\]

N/A

Moderate

Kernel

CVE-2018-11825

A-117985523  
QC-CR#2205722

N/A

Moderate

WLAN host

CVE-2019-10565

A-129275872  
QC-CR#2213706

N/A

Moderate

Camera

**Qualcomm closed-source components**

    

CVE

References

Type

Severity

Component

CVE-2018-11899

A-69383398\*

N/A

Moderate

Closed-source component

CVE-2019-2298

A-118897119\*

N/A

Moderate

Closed-source component

CVE-2019-2281

A-129765896\*

N/A

Moderate

Closed-source component

CVE-2019-2343

A-130566880\*

N/A

Moderate

Closed-source component

**Functional patches**

Please see this post for a description of features included with Android 10.

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2019-09-05 or later address all issues associated with the 2019-09-05 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**Versions**

  

Version

Date

Notes

1.0

September 3, 2019

Bulletin published.

1.1

September 12, 2019

Bulletin updated.

CVE-2019-9461: Pixel Update Bulletin—September 2019  |  Android Open Source Project

The rsvpmaker plugin before 6.2 for WordPress has SQL injection.

CVE-2019-15646: RSVPMaker

The ad-inserter plugin before 2.4.20 for WordPress has path traversal.

CVE-2019-15323: Ad Inserter – Ad Manager & AdSense Ads

The cforms2 plugin before 14.6.10 for WordPress has SQL injection.

CVE-2015-9333: cformsII

The wp-slimstat plugin before 4.8.1 for WordPress has XSS.

*   Details
*   Reviews
*   Installation
*   Development

Track returning customers and registered users, monitor Javascript events, detect intrusions, analyze email campaigns. Thousands of WordPress sites are already using it.

**Main features**

*   **Real-Time Access Log**: measure server latency, track page events, keep an eye on your bounce rate and much more.
*   **Shortcodes**: display reports in widgets or directly in posts and pages.
*   **GDPR**: fully compliant with the GDPR European law. You can test your website at cookiebot.com.
*   **Filters**: exclude users from statistics collection based on various criteria, including user roles, common robots, IP subnets, admin pages, country, etc.
*   **Export to Excel**: download your reports as CSV files, generate user heatmaps or get daily emails right in your mailbox (via premium add-ons).
*   **Cache**: compatible with W3 Total Cache, WP SuperCache, CloudFlare and most caching plugins.
*   **Privacy**: hash IP addresses to protect your users’ privacy.
*   **Geolocation**: identify your visitors by city and country, browser type and operating system (courtesy of MaxMind and Browscap).
*   **World Map**: see where your visitors are coming from, even on your mobile device (courtesy of amMap).

**Requirements**

*   WordPress 5.0+
*   PHP 7.4+
*   MySQL 5.0.3+
*   At least 5 MB of free web space (240 MB if you plan on using the external libraries for geolocation and browser detection)
*   At least 10 MB of free DB space
*   At least 32 Mb of free PHP memory for the tracker (peak memory usage)

**Please note**

*   If you decide to uninstall Slimstat Analytics, all the stats will be **PERMANENTLY** deleted from your database. Make sure to setup a database backup (wp\_slim\_\*) to avoid losing your data.

1.  In your WordPress admin, go to Plugins > Add New
2.  Search for Slimstat Analytics
3.  Click on **Install Now** next to Slimstat Analytics and then activate the plugin
4.  Make sure your template calls wp_footer() or the equivalent hook somewhere (possibly just before the </body> tag)

An extensive knowledge base is available on our website.

Thanks for this plugin! I really enjoy using the real-time user data. It also helps to find out about 404 errors/links on the site. You are doing great 🙂

I want a real time stats of active users on various pages of my site. But the real time page simply lists the current users and there is a map showing their location. Also, there are setting for date range??? This page could be configured better. Include setting as to what qualifies a active user (such as entered page within the last 15 minutes). Some information presented is useful. Also, stats regarding performance taxing on server would be good. But as it is, I don't think I will keep this over GA4.

Best in-house stats plugin for wordpress I could find and great support. No more sharing my website data with third-parties, like Google Analytics. Highly recommend it.

The plugin has been updated. It downloads and unpacks the GeoLite2 database from Maxmind for WooCommerce website without a hiccup. Thank you for a great tool, essential for planning inventory and blocking gargoyles.

Demasiado brutal, tengo menos de un minuto usándola y ya la amo.

especially since the author renewed the plugin recently. It's got geolocation and browser useragent working. Wonderful

Read all 807 reviews

“Slimstat Analytics” is open source software. The following people have contributed to this plugin.

Contributors

**4.9.3.2**

*   \[Fix\] The filtering issue

**4.9.3.1**

*   \[Fix\] Query issue in UTF-8 slugs

**4.9.3**

*   \[Update\] New logo and icon for the plugin!
*   \[Fix\] Hardened plugin security and sanitization of user input and escaped output

**4.9.2**

*   \[Fix\] Fixed tweak notice errors while activating the plugin in fresh installation
*   \[Update\] Tested up to WordPress v6.1

**4.9.0.1**

*   \[Fix\] Entries in the Top Referring Domains report were pointing to broken links (thank you, s7ech).
*   \[Fix\] The new Browscap Library requires at least PHP 7.4, up from 7.1. (thank you, Daniel Jaraud).

**4.9**

*   \[New\] Browscap Library is now bundled with the main plugin, only definition files are downloaded dynamically.
*   \[New\] Support MaxMind License Key for GeoLite2 database downloads.
*   \[New\] Speedup Browscap version check when repository site is down.
*   \[New\] Delete plugin settings and stats only if explicitly enabled in settings
*   \[Fix\] Addressed a PHP warning of undefined variable when parsing a query string looking for search term keywords (thank you, inndesign).
*   \[Fix\] Fixed SQL error when Events Manager plugin is installed, ‘Posts and Pages’ is enabled, and no events are existing (thank you, lwangamaman.
*   \[Fix\] Starting with 4.9, PHP 7.4+ is required (thank you, stephanie-mitchell.
*   \[Fix\] Opt-Out cookie does not delete slimstat cookie.

**4.8.8.1**

*   \[Update\] The Privacy Mode option under Slimstat > Settings > Tracker now controls the fingerprint collection mechanism as well. If you have this option enabled to comply with European privacy laws, your visitors’ IP addresses will be masked and they won’t be fingerprinted (thank you, Peter).
*   \[Update\] Improved handling of our local DNS cache to store hostnames when the option to convert IP addresses is enabled in the settings.
*   \[Fix\] Redirects from the canonical URL to its corresponding nice permalink were being affected by a new feature introduce in version 4.8.7 (thank you, Brookjnk).
*   \[Fix\] The new tracker was throwing a Javascript error when handling events attached to DOM elements without a proper hierarchy (thank , you pollensteyn).
*   \[Fix\] Tracking downloads using third-party solutions like Download Attachments was not working as expected (thank you, damianomalorzo).
*   \[Fix\] Inverted stacking order of dots on the map so that the most recent pageviews are always on top, when dots are really close to each other.
*   \[Fix\] A warning message was being returned by the function looking for search keywords in the URL (thank you, Ryan).

**4.8.8**

*   \[New\] Implemented new FingerPrintJs2 library in the tracker. Your visitors are now associated with a unique identifier that does not rely on cookies, IP address or other unreliable information. This will allow Slimstat to produce more accurate results in terms of session lenghts, user patterns and much more.
*   \[New\] Added event handler for ‘beforeunload’, which will allow the tracker to better meausure the time spent by your visitors on each page. This will make our upcoming new charts even more accurate.
*   \[Update\] Improved algorithm that scans referrer URLs for search terms, and introduced a new list of search engines. Please help us improve this list by submitting your missing search engine entries.
*   \[Update\] Added title field to Slimstat widgets (thank you, jaroslawistok).
*   \[Update\] Reverted a change to the Top Web Pages report that was now combining URLs with a trailing slash and ones without one into one result. As James pointed out, this is a less accurate measure and hides the fact that people might be accessing the website in different ways.
*   \[Update\] The event tracker now annotates each event with information about the mouse button that was clicked and other useful data.
*   \[Fix\] The Country shortcode was not working as expected because of a change in how we handle localization files.
*   \[Fix\] Renamed slim\_i18n class to avoid conflict with external libraries.

**4.8.7.3**

*   \[New\] Implemented a simple query cache to minimize the number of requests needed to crunch and display the data in the reports.
*   \[Update\] Extended tracker to also record the ‘fragment’ portion of the URL, if available (this feature is only available in Client Mode).
*   \[Update\] Do not show the resource title in Network View mode.
*   \[Fix\] Some reports were not optimized for our Network Analytics add-on (thank you, Peter).
*   \[Fix\] The notice displayed to share the latest news with our users would not disappear even after clicking the X button to close it (thank you, Anton).
*   \[Fix\] The ‘Top Web Pages’ reports was listing duplicate entries.
*   \[Fix\] A regression bug was affecting the Currently Online report, by showing incorrect information for the IP addresses.
*   \[Fix\] After resetting the Customizer view, all reports were being listed twice (thank you, Anton).
*   \[Fix\] A new feature introduced by our Javascript tracker was not working as expected in IE11 (thank you, 51nullacht).

**4.8.7.2**

*   \[Fix\] The new tracker was having problems recording clicks on SVG elements within a link (thank you, pollensteyn).
*   \[Fix\] The event handler is now capable of tracking events on BUTTONs within FORM elements.
*   \[Fix\] Permalinks containing post query strings were not being recorded as expected.

**4.8.7.1**

*   \[Note\] We are in the process of deprecating the two columns _type_ and _event\_description_ in the events table, and consolidating that information in the _notes_ field. Code will be added to Slimstat in a few released to actually drop these columns from the database. If you are using those two columns in your custom code, please feel free to contact our support team to discuss your options and how to update your code using the information collected by the new tracker.
*   \[Fix\] A warning message was being displayed when enabling the opt-out feature with certain versions of PHP.
*   \[Fix\] PHP warning being displayed when trying to update some of the add-ons’ settings.
*   \[Fix\] The new tracker was recording the number of posts on an archive page even when the single article was being displayed.
*   \[Fix\] License keys for premium add-ons were not being saved as expected, due to a side effect of the new security features we implemented in the Settings.

**4.8.7**

*   \[New\] With this update, we are introducing an _updated tracker_ (both server and client-side): a new simplified codebase that gets rid of a few layers of convoluted functions and algorithms accumulated over the years. We have been working on this update for quite a while, and the recent conflict with another plugin discovered by some users convinced us to make this our top priority. Even though we have tested our new code using a variety of scenarios, you can understand how it would be impossible to cover all the possible environments available out there. Make sure to clear your caches (local, Cloudflare, WP plugins, etc), to allow Slimstat to append the new tracking script to your pages. Also, if you are using Slimstat to track _external_ pages (outside of your WP install), please make sure to update the code you’re using on those pages with the new one you can find in Slimstat > Settings > Tracker > External Pages.
*   \[New\] Increased minimum WordPress requirements to version 4.9, given that we are now using some more modern functions to enqueue the tracker and implement the customizer feature.
*   \[Update\] We tweaked the SQL query to retrieve ‘recent’ results, and added a GROUP BY clause to remove duplicates. This might affect some custom reports you might have created, so please don’t hesitate to contact us if you have any question or experience any issues.
*   \[Update\] The columns to store event type and description are being deprecated, and consolidated into the existing ‘notes’ column. Our function ss_track() will only accept the note parameter moving forward. Please update your custom code accordingly. In a few releases, we are going to drop those columns from the database.
*   \[Update\] Changed wording on Traffic Sources report to explain what kind of search engine result pages are being counted (thank you, Nina).
*   \[Fix\] The button to delete all the records from the database was not working as expected (thank you, Softfully).
*   \[Fix\] When the plugin was network activated on a group of existing blogs, the tables used to store all the records were not initialized as expected, under given circumstances.
*   \[Fix\] A bug was affecting certain shortcodes when PHP 7.2 was enabled (thank you, Peter).
*   \[Fix\] Emptying one of the settings and saving did not produce the desired effect.

CVE-2019-15112: Slimstat Analytics

An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vulnerability.

**Summary**

An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vulnerability.

**Tested Versions**

Nest Labs Nest Cam IQ Indoor version 4620002

**Product URLs**

https://store.nest.com/product/nest-cam-iq/NC3200US

**CVSSv3 Score**

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

**CWE**

CWE-125: Out-of-bounds Read

**Details**

The Nest Cam IQ Indoor is one of Nest Labs most expensive and advanced devices, integrating Google Assistant, Facial recognition and even the capability to act as an 6lowpan hub for other less powerful IoT devices. The main protocol that is used for setup and initial communications of Nest devices is Weave, a protocol designed strictly for IoT devices, which can run over TCP, UDP, Bluetooth and 6lowpan.

Before going into the details of the bug itself, a quick overview of the Weave protocol and terminology is needed, so for brevity, here’s a packet dissection of a sample weave packet:

    --------TCP Message Layer-----------  //[1]
    Mesage_Length   : 0x0146
    Message Version : 0x1
    Message_Id      : 0x00000004
    Message_Flags   : 0x0300    : [ Dstnode|Srcnode ]
    Src_Node        : 0000000000000002
    Dst_Node        : 0000000000000001
    Encryption      : None
    --------Exchange Layer-----------    //[2]
    Exchange Ver|Flag   :  0x11       :  [ Initiator ]
    Exchange MsgType    :  0x1        : kMsgType_PASEInitiatorStep1 //[3]
    Exchange ExchangeID :  0x70e3
    Exchange ProfileID  :  0x00000004 : kWeaveProfile_Security  //[4]
    --------Data Layer-----------   //[5]
    kMsgType_PASEInitiatorStep1
    controlHeader: 0x8011213f
    sizeHeader: 0x01070e0e
    ProtocolConfig: 0x235a0004
    AltConfig[0]: 0x235a0001
    gx: 0xe, zkpxgr: 0xe, zkpxb: 0x7
    step1.p1.gx: \x26\x79\x13\xe9\x91\x07\xd8\x95\xd2\xda\xa5\xb9\xc3\x63\x69\xb3\x63\xfa\x8f\x8a\x38\x96\x44\xd3\x60\x7e\x39\xbc\x3b\xc9\xb0\x1f\x0d\x3a\x56\x0a\x9f\x45\x83\x40\x26\x56\x0a\x8c\x1b\xbf\xba\x0e\xed\x61\x7a\x98\xc1\x60\x68\x22
    step1.p2.gx: \x9e\x61\x2e\xc7\x06\x33\x48\xb6\xbd\xfd\xc1\x60\x85\xed\x3f\xa1\x25\xc1\x91\x9c\x6b\xe9\x7e\xd6\x06\x5c\x66\x3b\xe3\x36\x23\x45\xaa\xea\x6e\x12\x87\x68\xa4\x43\x0d\xa5\xd3\x42\x72\x28\x04\x25\x34\x5b\x0a\x30\x41\x00\xa5\x22
    step1.p2.zkpx.gr:
    \x1e\x22\x9a\x94\x67\x36\x88\xc4\x29\xa3\x57\xd3\xbd\xb7\x6a\xee\xba\x17\xc8\x19\xaf\x11\x89\xa3\xc1\x7d\x08\xff\xe5\x65\xd0\x74\xc3\x26\x8d\x20\x83\xe0\x81\x9a\x69\x7e\x67\xe6\x40\xc1\xcc\x83\xe7\x55\x27\x63\x63\x0f\x71\x7d
    step1.p2.zkpx.b: \x38\x07\x74\x4e\x85\x3e\x9a\x2c\x97\x31\x16\xf7\x88\x86\xd8\xa4\x81\x70\xaf\x9b\x72\xf8\x56\x5a\x67\xc4\x15\x7d
    step1.p2.zkpx.gr: \xd3\x0d\x93\x9e\x3b\xe1\x2f\x33\xf2\x80\xb9\x27\x78\x74\xf4\xda\xdf\x90\xeb\x5a\xee\x77\x86\x9b\x44\x37\x13\x55\x83\x9d\x35\x01\x49\xb5\xa7\x61\x06\xa8\x9d\x47\x4b\x76\xca\xbc\xf5\x97\xc4\x83\xf2\x93\x93\x7f\xb1\xec\x16\x27
    step1.p2.zkpx.b: \xeb\xe9\x8c\x3a\x99\x5a\x61\x5f\xe0\x76\x5c\xae\x06\x55\xda\x5c\x45\xca\xc5\x54\x55\xd3\x22\x74\x85\x76\xdd\x0e
    

Weave messages consist of three layers: Message, Exchange, and Data. The Message Layer \[1\] and Exchange Layer \[2\] are both variable sized and consist of little-endian fields as listed above. The Data Layer \[5\] is strictly dependent on the MessageType \[3\] and ProfileId \[4\], and every combination thereof generally has a unique message structure, which can be seen from all the parsed fields below \[5\]. The ProfileID is fittingly used to determine which Weave “Profile” to talk with, and likewise, the MessageType is essentially the opcode for the given Profile.

Turning back now to the vulnerability, if we set the ProfileID to 0x235a0010 (kWeaveVendor_NestLabs), and the message type to 0x1 (kMsgType_CamAuthDataReq), we will end up hitting the following code:

    DropcamLegacyPairingServer::HandleCameraAuthDataRequest(ExchangeContext *ec, PacketBuffer *(&msgBuf)){
    [...]
        // Calculate HMAC of camera secret and auth_data message
        memcpy(authDataMessage, macAddress, EUI48_LEN);
        memcpy(&authDataMessage[EUI48_LEN], noncePtr, CAMERA_NONCE_LEN); //[6]
    
        hmacObj.Begin(secret, CAMERA_SECRET_LEN);
        hmacObj.AddData(authDataMessage, authDataMessageLen);
        hmacObj.Finish(hmac); // secret + mackAdress + nonce. 
                              //   32   +     6      +    64
        // Re-use request buffer
        PacketBuffer::Free(msgBuf);
        msgBuf = PacketBuffer::New();
        VerifyOrExit(msgBuf != NULL, err = WEAVE_ERROR_NO_MEMORY);
    
        // Encode response
        writer.Init(msgBuf, msgBuf->MaxDataLength());
    
        err = writer.PutBytes(AnonymousTag, macAddress, EUI48_LEN);
        SuccessOrExit(err);
    
        err = writer.PutBytes(AnonymousTag, hmac, HMAC_BUF_LEN);
        SuccessOrExit(err);
    
        err = writer.Finalize();
        SuccessOrExit(err);
    
        // Send MAC address and pairing data HMAC to client
        err = ec->SendMessage(kWeaveProfile_DropcamLegacyPairing, kMsgType_CameraAuthDataResponse, msgBuf, 0);
        SuccessOrExit(err);
    [...]
    

In summary, the code takes the last 0x40 bytes from our message, appends that to camera’s secret (32 bytes) and mac address (6 bytes) and then calculates a hmac and sends that in its reply to the initial request. Before the len 0x40 memcpy at \[6\], there is no bounds checking, so there’s not actually any thing stopping out of bounds bytes from being included in this hash.

To actually trigger the vulnerability though, one must also know how the camera stores network data, and how the PacketBuffer objects are implemented. One thing of note however, Weave can be configured for either LWiP based packet storage or a PacketBuffer system, the latter of which is what the Nest Cam utilizes, and will be referenced throughout this advisory.

Upon initialization of the nldaemon process (which implements weave for the Nest Cam IQ Indoor), a static packet buffer array is allocated with 0xF elements that are all 0x648 in length. The PacketBuffer structure is defined as such:

    struct pbuf{
        struct pbuf* next;        // Points to the next Pbuf in the chain
        void * payload;           // Pointer to Pbuf's payload.  
        uint16_t tot_len;        // Never used.
        uint16_t len;            // Length of the current Pbuf. 
        uint16_t ref;            // Current Reference Count of Pbuf. 
    #if WEAVE_SYSTEM_CONFIG_PACKETBUFFER_MAXALLOC == 0 
        uint16_t alloc_size;     // Not defined.
    #endif
    }
    #define WEAVE_SYSTEM_PACKETBUFFER_SIZE 1700
    

An example of a PacketBuffer in memory:

    -------------Start of Pbuf---------------
            pbuf* next(none)                   Payload ptr
    0x55617bdb88:   0x0000000000000000      0x00000055617bdbc0
    0x55617bdb98:   0x0000000100420042      | end of pbuf struct
    0x55617bdba0:                           0x000001e323000060   <---- Weave Headers.
    0x55617bdba8:   0x0000000000000003      0x0000000000000001   <---- Weave headers.
    0x55617bdbc0:   0x235a00100bb00115      | ---- Start of payload.
    0x55617bdbc0:                           0x363534333231010c
    0x55617bdbc8:   0x3635343332313837      0x3635343332313837
    

In order to get the nonce memcpy to occur on valuable data, there are two steps. First, one must have the end of their kMsgType_CamAuthDataReq packet reach the end of a given packet buffer slot. Thankfully this can be done by prepending other weave messages before the kMsgType_CamAuthDataReq, the easiest one being kEchoMessageType_EchoRequest, as it is easy to create and can have variable length.

The second step required to leak useful bytes is that our kMsgType_CamAuthDataReq packet must not occupy the bottom element of the PacketBuffer array. The Camera’s PacketBuffer array fills up from bottom to top, so there must be a packet occupying the bottom slot such that our OOB memcpy can occur on the headers of another PacketBuffer, giving us a pointer to valid memory and allowing us to get around memory randomization.

To fill up the bottom PacketBuffer slot, there’s two reliable methods, first being repeatedly sending packets (in essentially a heap spray manner), the other being to send an incomplete TCP weave packet. If the Message_Length field of a given packet is greater than the bytes received on that connection, the Weave PacketBuffer will hold the packet indefinitely, until it is completed or the connection errors out. This cannot be done over UDP as there is no length field prepended to a UDP weave packet.

Thus to actually derive and leak the desired memory, one must trigger the OOB read such that the first 0x3F bytes are user controlled, but the last byte is from program memory. This will result in the user getting a hash to save. After this, the user should utilize a normal kMsgType_CamAuthDataReq with all 0x40 bytes controlled, but with the last byte being brute forced. One out of the 0xFF possibilities will match our original hash generated with a leaked byte, thus telling us what the byte is. The process can then be repeated up to 0x40 times to leak data, but in practice 0x10 iterations will allow one to get around memory randomization and tell us where our PacketBuffer is in memory.

**Timeline**

2019-04-18 - Vendor Disclosure  
2019-05-20 - Vendor completed analysis  
2019-06-18 - Follow up with vendor  
2019-07-02 - 90 day notice; Vendor advised updates scheduled for release mid-July  
2019-07-18 - Vendor advised fix will release end of July and be tested in the field  
2019-07-26 - Extended disclosure date to 2019-08-15  
2019-08-19 - Public Release

Discovered by Lilith Wyatt and Claudio Bozzato of Cisco Talos.

CVE-2019-5034: TALOS-2019-0797 || Cisco Talos Intelligence Group

An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker can send specially crafted packets to trigger this vulnerability.

**Summary**

An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker can send specially crafted packets to trigger this vulnerability.

**Tested Versions**

Nest Labs Nest Cam IQ Indoor version 4620002

**Product URLs**

https://store.nest.com/product/nest-cam-iq/NC3200US

**CVSSv3 Score**

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-307: Improper Restriction of Excessive Authentication Attempts

**Details**

The Nest Cam IQ Indoor is one of Nest Labs’ most expensive and advanced devices. The surveillance camera integrates with Google Assistant, contains facial recognition technology and even has the ability to act as an 6lowpan hub for other less powerful internet-of-things devices. The main protocol that is used for setup and initial communications of Nest devices is Weave, a protocol designed strictly for IoT devices, which can run over TCP, UDP, Bluetooth and 6lowpan.

Before going into the details of the bug itself, a quick overview of the Weave protocol and terminology is needed, so for brevity, here’s a packet dissection of a sample weave packet that will be relevant later on:

    --------TCP Message Layer-----------  //[1]
    Mesage_Length   : 0x0146
    Message Version : 0x1
    Message_Id      : 0x00000004
    Message_Flags   : 0x0300    : [ Dstnode|Srcnode ]
    Src_Node        : 0000000000000002
    Dst_Node        : 0000000000000001
    Encryption      : None
    --------Exchange Layer-----------    //[2]
    Exchange Ver|Flag   :  0x11       :  [ Initiator ]
    Exchange MsgType    :  0x1        : kMsgType_PASEInitiatorStep1 //[3]
    Exchange ExchangeID :  0x70e3
    Exchange ProfileID  :  0x00000004 : kWeaveProfile_Security  //[4]
    --------Data Layer-----------   //[5]
    kMsgType_PASEInitiatorStep1
    controlHeader: 0x8011213f
    sizeHeader: 0x01070e0e
    ProtocolConfig: 0x235a0004
    AltConfig[0]: 0x235a0001
    gx: 0xe, zkpxgr: 0xe, zkpxb: 0x7
    step1.p1.gx: \x26\x79\x13\xe9\x91\x07\xd8\x95\xd2\xda\xa5\xb9\xc3\x63\x69\xb3\x63\xfa\x8f\x8a\x38\x96\x44\xd3\x60\x7e\x39\xbc\x3b\xc9\xb0\x1f\x0d\x3a\x56\x0a\x9f\x45\x83\x40\x26\x56\x0a\x8c\x1b\xbf\xba\x0e\xed\x61\x7a\x98\xc1\x60\x68\x22
    step1.p2.gx: \x9e\x61\x2e\xc7\x06\x33\x48\xb6\xbd\xfd\xc1\x60\x85\xed\x3f\xa1\x25\xc1\x91\x9c\x6b\xe9\x7e\xd6\x06\x5c\x66\x3b\xe3\x36\x23\x45\xaa\xea\x6e\x12\x87\x68\xa4\x43\x0d\xa5\xd3\x42\x72\x28\x04\x25\x34\x5b\x0a\x30\x41\x00\xa5\x22
    step1.p2.zkpx.gr:
    \x1e\x22\x9a\x94\x67\x36\x88\xc4\x29\xa3\x57\xd3\xbd\xb7\x6a\xee\xba\x17\xc8\x19\xaf\x11\x89\xa3\xc1\x7d\x08\xff\xe5\x65\xd0\x74\xc3\x26\x8d\x20\x83\xe0\x81\x9a\x69\x7e\x67\xe6\x40\xc1\xcc\x83\xe7\x55\x27\x63\x63\x0f\x71\x7d
    step1.p2.zkpx.b: \x38\x07\x74\x4e\x85\x3e\x9a\x2c\x97\x31\x16\xf7\x88\x86\xd8\xa4\x81\x70\xaf\x9b\x72\xf8\x56\x5a\x67\xc4\x15\x7d
    step1.p2.zkpx.gr: \xd3\x0d\x93\x9e\x3b\xe1\x2f\x33\xf2\x80\xb9\x27\x78\x74\xf4\xda\xdf\x90\xeb\x5a\xee\x77\x86\x9b\x44\x37\x13\x55\x83\x9d\x35\x01\x49\xb5\xa7\x61\x06\xa8\x9d\x47\x4b\x76\xca\xbc\xf5\x97\xc4\x83\xf2\x93\x93\x7f\xb1\xec\x16\x27
    step1.p2.zkpx.b: \xeb\xe9\x8c\x3a\x99\x5a\x61\x5f\xe0\x76\x5c\xae\x06\x55\xda\x5c\x45\xca\xc5\x54\x55\xd3\x22\x74\x85\x76\xdd\x0e
    

Weave messages consist of three layers: message, exchange and data. The message layer \[1\] and exchange layer \[2\] are both variable sized and consist of little-endian fields as listed above. The Data Layer \[5\] is strictly dependent on the MessageType \[3\] and ProfileId \[4\], and every combination thereof generally has a unique message structure, which can be seen from all the parsed fields below \[5\]. The ProfileID is fittingly used to determine which Weave “Profile” to talk with, and likewise, the MessageType is essentially the opcode for the given Profile.

Turning back now to the vulnerability, when initially setting up any Nest device, the owner typically looks for a QRcode or a six-digit/letter code somewhere on the device which is then used as a shared secret for JPAKE authentication in the pairing process. Normally, due to the processing time required to do a single round of JPAKE authentication, the fact that JPAKE must be done online, and also the key space of six alphanumeric characters, it would be unreasonable to brute force this process, even though there is no tracking of failed authentication attempts.

Interestingly though, it turns out that the six-digit codes used by Nest are actually Verhoeff base32 checksum values. This allows a device owner to know if they typed their code in wrong, as their phone will quickly check to see if the code is a valid Verhoeff number. Regardless, this takes the key space down from 1073741824 (32^6) possible entries to 33554432 (32^5), a factor of 32 and a slightly more reasonable runtime.

When benchmarking this process, by utilizing the default WeaveDeviceManager’s PASE pairing in a loop, we can get ~100 iterations per 1.3 seconds against the device, which would allow for a full key space brute force in around one month. By writing a python implementation of the PASE pairing setup, we were able to speed up runtime, as the WeaveDeviceManager sends extra identification packets that were not necessary. Interestingly though, it seems that the main bottle neck to this is actually the Nest Camera itself, as it can only process network packets in a single threaded manner.

While needing to communicate with a device for three to four weeks might be unreasonable for brute forcing, the pairing code will stay the same for a given device across reboots, and also, if the device is ever in a non-configured state when the code has been discovered, an attacker can emulate the pairing process and add the device to their own Nest account, granting full access.

If the device is already in a paired state when an attacker authenticates with the pairing code, it is dependent on a device-to-device basis on what types of weave requests the attacker would now be authenticated to send.

**Timeline**

2019-04-18 - Vendor Disclosure  
2019-05-20 - Vendor completed analysis  
2019-06-18 - Follow up with vendor  
2019-07-02 - 90 day notice; Vendor advised updates scheduled for release mid-July  
2019-07-18 - Vendor advised fix will release end of July and be tested in the field  
2019-07-26 - Extended disclosure date to 2019-08-15  
2019-08-19 - Public Release

Discovered by Lilith Wyatt and Claudio Bozzato of Cisco Talos.

CVE-2019-5035: TALOS-2019-0798 || Cisco Talos Intelligence Group

An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially crafted packet to trigger this vulnerability.

**Summary**

An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially crafted packet to trigger this vulnerability.

**Tested Versions**

Nest Labs Nest Cam IQ Indoor version 4620002

**Product URLs**

https://store.nest.com/product/nest-cam-iq/NC3200US

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-284: Improper Access Control

**Details**

The Nest Cam IQ Indoor is one of Nest Labs’ most expensive and advanced devices. The surveillance camera integrates with Google Assistant, contains facial recognition technology and even has the ability to act as an 6lowpan hub for other less powerful internet-of-things devices. The main protocol that is used for setup and initial communications of Nest devices is Weave, a protocol designed strictly for IoT devices, which can run over TCP, UDP, Bluetooth and 6lowpan.

Before going into the details of the bug itself, a quick overview of the Weave protocol and terminology is needed, so for brevity, here’s a packet dissection of a sample weave packet:

    --------TCP Message Layer-----------  //[1]
    Mesage_Length   : 0x0146
    Message Version : 0x1
    Message_Id      : 0x00000004
    Message_Flags   : 0x0300    : [ Dstnode|Srcnode ]
    Src_Node        : 0000000000000002
    Dst_Node        : 0000000000000001
    Encryption      : None
    --------Exchange Layer-----------    //[2]
    Exchange Ver|Flag   :  0x11       :  [ Initiator ]
    Exchange MsgType    :  0x1        : kMsgType_PASEInitiatorStep1 //[3]
    Exchange ExchangeID :  0x70e3
    Exchange ProfileID  :  0x00000004 : kWeaveProfile_Security  //[4]
    --------Data Layer-----------   //[5]
    kMsgType_PASEInitiatorStep1
    controlHeader: 0x8011213f
    sizeHeader: 0x01070e0e
    ProtocolConfig: 0x235a0004
    AltConfig[0]: 0x235a0001
    gx: 0xe, zkpxgr: 0xe, zkpxb: 0x7
    [...]
    

Weave messages consist of three layers: message, exchange and data. The message layer \[1\] and exchange layer \[2\] are both variable sized and consist of little-endian fields as listed above. The data layer \[5\] is strictly dependent on the MessageType \[3\] and ProfileId \[4\], and every combination thereof generally has a unique message structure, which can be seen from all the parsed fields below \[5\]. The ProfileID is fittingly used to determine which Weave “Profile” to talk with, and likewise, the MessageType is essentially the opcode for the given Profile.

For the purposes of this advisory, let’s consider the MessageType kMsgType_KeyError. When performing any sort of authentication to a Weave device, the profileID used is fittingly kWeaveProfile_Security. All weave messages of this type get passed to the WeaveSecurityManager, which is the sole authentication authority. Interestingly, when looking at messages destined for itself, the first thing WeaveSecurityManager does is checking if it’s received a kMsgType_KeyError message:

    void WeaveSecurityManager::HandleUnsolicitedMessage(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo,
            uint32_t profileId, uint8_t msgType, PacketBuffer* msgBuf) {
        WEAVE_ERROR err = WEAVE_NO_ERROR;
        WeaveSecurityManager *secMgr = (WeaveSecurityManager *)ec->AppState;
    
        // Handle Key Error Messages.
        if (profileId == kWeaveProfile_Security && msgType == kMsgType_KeyError)
        {
            secMgr->HandleKeyErrorMsg(ec, msgBuf); //[6]
            msgBuf = NULL;
            ec = NULL;
    
            ExitNow();
        }
    [...]
    }
    

Normally, the kMsgType_KeyError is sent by a Weave server when a client has failed authentication, at which point, the client will close the connection. Examining the actual KeyErrorMsg handler at \[6\], we see:

    void WeaveSecurityManager::HandleKeyErrorMsg(ExchangeContext *ec, PacketBuffer* msgBuf)
    {
        WEAVE_ERROR err;
        WeaveSessionKey *sessionKey;
        uint8_t *p = msgBuf->Start();
        uint64_t srcNodeId = ec->PeerNodeId;
        uint16_t keyId;
        uint8_t encType;
        uint16_t keyErrCode;
        uint32_t messageId;
        WEAVE_ERROR keyErr;
        uint64_t endNodeIds[WEAVE_CONFIG_MAX_END_NODES_PER_SHARED_SESSION + 1]; // 10 + 1
        uint8_t endNodeIdsCount = 0;
    
        // Verify correct message size.
        if (msgBuf->DataLength() != kWeaveKeyErrorMessageSize) // 0x9
            ExitNow();
    
        // Read the message fields.
        keyId = LittleEndian::Read16(p); //[7]
        encType = Read8(p);
        messageId = LittleEndian::Read32(p);
        keyErrCode = LittleEndian::Read16(p);
        //[…]
        	
    
        // If the failed key is a session key...
        if (WeaveKeyId::IsSessionKey(keyId))  // ( Key & 0x0FFFF000 == 0x2000) 		         
            // Attempt to find the referenced session key.  If found...
            err = FabricState->FindSessionKey(keyId, srcNodeId, false, sessionKey);  //[8] 
    

First, the DataLayer of our packet must be 0x9 bytes long. Second, our packet lets the server know which keyID has failed via the first two bytes (\[7\]). Third, using the keyId and the srcNodeId that sent the packet, the server tries to find the session key we are referring to at \[8\]. It’s worth noting that the srcNodeID is the eight-byte little-endian field in the MessageLayer, which typically corresponds to the 802.15.14 mac address for Weave devices. Regardless, we have to know both the keyId and the srcNode that we want to deny service to (these fields can also be brute forced).

Next, lets look at what happens if there is a SessionKey found for the given (keyId, srcNodeId) pair:

    if (err == WEAVE_NO_ERROR) {
                if (sessionKey->IsSharedSession()) { 
                    FabricState->GetSharedSessionEndNodeIds(sessionKey, endNodeIds, sizeof(endNodeIds) / sizeof(uint64_t), endNodeIdsCount);
                }
    
                // Add the terminating node to the list of peer nodes associated with the key.
                endNodeIds[endNodeIdsCount++] = sessionKey->NodeId; 
    
                // Discard the failed session key.
                FabricState->RemoveSessionKey(keyId, srcNodeId);           //[9]
            }       
        } else {
            endNodeIds[endNodeIdsCount++] = srcNodeId; //endNodeIds => function array
        }
    
        // For each peer node associated with the key, notify the exchange manager that the key has failed
        // with respect to that peer.
        for (int i = 0; i < endNodeIdsCount; i++)
            ExchangeManager->NotifyKeyFailed(endNodeIds[i], keyId, keyErr); //[10]
    

Of note in the above code is that the SecurityManager will first remove the SessionKey from memory \[9\], and then subsequently notify the ExchangeManager that the exchange has failed \[10\], which causes the weave device to perform all the teardowns and cleanups necessary for that given peer.

The main reason why this vulnerability is relevant is that it’s essentially a Weave Deauth-Frame. The function call to FabricState->FindSessionKey(keyId, srcNodeId, false, sessionKey); does not take into account the source connection of our KeyErrorMsg, which means that we can send packets over Bluetooth to kill a connection that’s occurring over TCP, or send UDP packets to repeatedly kill a 802.15.14 device’s weave connection (rendering the device useless).

It’s worth noting again that the KeyId that is being used must be known, along with the SrcNode that one wishes to disconnect. The key space is relatively small however, the KeyId must be between 0x2000 and 0x3000, and also a Weave Device’s NodeID will generally always start with 18:b4:30:00:00. If an attacker can sniff any packets from a node, it will have the Node’s ID, and it can also be found via a kMsgType_Identify request sent to the device or as a broadcast.

**Timeline**

2019-04-18 - Vendor Disclosure  
2019-05-20 - Vendor completed analysis  
2019-06-18 - Follow up with vendor  
2019-07-02 - 90 day notice; Vendor advised updates scheduled for release mid-July  
2019-07-18 - Vendor advised fix will release end of July and be tested in the field  
2019-07-26 - Extended disclosure date to 2019-08-15  
2019-08-19 - Public Release

Discovered by Lilith Wyatt and Claudio Bozzato of Cisco Talos.

CVE-2019-5036: TALOS-2019-0799 || Cisco Talos Intelligence Group

An exploitable information disclosure vulnerability exists in the Weave MessageLayer parsing of Openweave-core version 4.0.2 and Nest Cam IQ Indoor version 4620002. A specially crafted weave packet can cause an integer overflow to occur, resulting in PacketBuffer data reuse. An attacker can send a packet to trigger this vulnerability.

**Summary**

An exploitable information disclosure vulnerability exists in the Weave MessageLayer parsing of Openweave-core version 4.0.2 and Nest Cam IQ Indoor version 4620002. A specially crafted weave packet can cause an integer overflow to occur, resulting in PacketBuffer data reuse. An attacker can send a packet to trigger this vulnerability.

**Tested Versions**

Nest Labs Openweave-core 4.0.2 Nest Labs Nest Cam IQ Indoor version 4620002

**Product URLs**

https://openweave.io/ https://store.nest.com/product/nest-cam-iq/NC3200US

**CVSSv3 Score**

8.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

**CWE**

CWE-190: Integer Overflow Or Wraparound

**Details**

Openweave is the opensource implementation of the Weave protocol, which was initially developed by Nest Labs in order to provide a Session-Layer agnostic method of communication between their IoT devices. This protocol is used by Nest devices such as the Nest Cam IQ Indoor, one of Nest Labs’ most expensive and advanced devices, integrating Google Assistant, facial recognition and even the capability to act as an 6lowpan hub for other less powerful IoT devices. The issue described in this advisory is thus also present in the Nest Cam IQ Indoor.

Before going into the details of the bug itself, a quick overview of the Weave protocol and terminology is needed, so for brevity, here’s a packet dissection of a sample weave packet:

    --------TCP Message Layer-----------  //[1]
    Mesage_Length   : 0x0146
    Message Version : 0x1
    Message_Id      : 0x00000004
    Message_Flags   : 0x0300    : [ Dstnode|Srcnode ]
    Src_Node        : 0000000000000002
    Dst_Node        : 0000000000000001
    Encryption      : None
    --------Exchange Layer-----------    //[2]
    Exchange Ver|Flag   :  0x11       :  [ Initiator ]
    Exchange MsgType    :  0x1        : kMsgType_PASEInitiatorStep1 //[3]
    Exchange ExchangeID :  0x70e3
    Exchange ProfileID  :  0x00000004 : kWeaveProfile_Security  //[4]
    --------Data Layer-----------   //[5]
    kMsgType_PASEInitiatorStep1
    controlHeader: 0x8011213f
    sizeHeader: 0x01070e0e
    ProtocolConfig: 0x235a0004
    AltConfig[0]: 0x235a0001
    gx: 0xe, zkpxgr: 0xe, zkpxb: 0x7
    [...]
    

Weave messages consist of three layers: Message, Exchange, and Data. The Message Layer \[1\] and Exchange Layer \[2\] are both variable sized and consist of little-endian fields as listed above. The Data Layer \[5\] is strictly dependent on the MessageType \[3\] and ProfileId \[4\], and every combination thereof generally has a unique message structure, which can be seen from all the parsed fields below \[5\]. The ProfileID is fittingly used to determine which Weave “Profile” to talk with, and likewise, the MessageType is essentially the opcode for the given Profile.

When examining the Message Layer parsing of a given packet buffer, we must fittingly examine /src/lib/core/WeaveMessageLayer.cpp, and more specifically the WeaveMessageLayer::DecodeMessageWithLength function. It should be noted that UDP packets will not hit this code path and will instead be directed straight to WeaveMessageLayer::DecodeMessage, as a UDP packet’s length is determined by the return value of recvfrom. Moving on, let us examine the relevant code:

    WEAVE_ERROR WeaveMessageLayer::DecodeMessageWithLength(PacketBuffer *msgBuf, uint64_t sourceNodeId, WeaveConnection *con, WeaveMessageInfo *msgInfo, uint8_t **rPayload, uint16_t *rPayloadLen, uint16_t *rFrameLen) {
    
        uint8_t *dataStart = msgBuf->Start();
        uint16_t dataLen = msgBuf->DataLength();
    
        // Error if the message buffer doesn't contain the entire message length field.
        if (dataLen < 2) {
            *rFrameLen = 8; // Assume absolute minimum frame length.
            return WEAVE_ERROR_MESSAGE_INCOMPLETE;
        }
    
        // Read the message length.
        uint16_t msgLen = LittleEndian::Get16(dataStart); //[6]
    
        // The frame length is the length of the message plus the length of the length field.
        *rFrameLen = msgLen + 2;        //[7]
    
        // Error if the message buffer doesn't contain the entire message, or is too
        // long to ever fit in the buffer.
        if (dataLen < *rFrameLen){      //[8] 
            if (*rFrameLen > msgBuf->MaxDataLength() + msgBuf->ReservedSize())
            return WEAVE_ERROR_MESSAGE_TOO_LONG;
            return WEAVE_ERROR_MESSAGE_INCOMPLETE;
        }
    
        // Adjust the message buffer to point at the message, not including the message length field that precedes it,
        // and not including any data that may follow it.
        msgBuf->SetStart(dataStart + 2);  
        msgBuf->SetDataLength(msgLen);  //[9]
    
        // Decode the message.
        WEAVE_ERROR err = DecodeMessage(msgBuf, sourceNodeId, con, msgInfo, rPayload, rPayloadLen);
    

At \[6\] we read in the bytes from the packet that let Weave know how long it is. Due the possibility of TCP reassembly, the msgLen that we give might not be the length of our actual buffer (dataLen). Moving on, we add 2 to our given msgLen at \[7\] and store it in the rFrameLen variable, which from the prototype, one can see is a uint16_t, just like our msgLen. As one might guess, we can overflow this variable by setting our msgLen to 0xFFFF or 0xFFFE, which allows us to bypass the check at \[8\], causing us to hit \[9\] with a msgLen that is much much greater than the intended maximum size of a PacketBuffer at ~0x62F. Weave will actually see that the msgLen is greater than 0x62F at the msgBuf->SetDataLength(msgLen) line, and will knock the message length down to 0x62F regardless. More accurately, it will cause our PacketBuffer’s length to be set to the maximum size left. Since there can be more than one message in a PacketBuffer at a time, if there’s 0x300 bytes left, SetDataLength(0xFFFF) will result in the PacketBuffer’s length now being 0x300.

This vulnerability allows us to send a short packet and have whatever data was already there to be included into our packet, as the allocation and freeing of a PacketBuffer do not clear the data inside, which provides an attacker something to work with. The quickest and most useful packet to send is the kMsgType_EchoRequest, as one can read out the last sent packet by any other party over any other connection (as TCP, UDP, Bluetooth and 6lowpan all share the same PacketBufferPool). Even more interesting is that, when dealing with encrypted communications (e.g. a PASE or CASE session), encrypted messages are actually encrypted and decrypted in the PacketBuffer itself, which would allow us to read data sent encrypted over the wire to a device (such as Fabric Configurations, Network Configurations, or other sensitive information).

There might be more uses for this vulnerability, so the following will be a description of the constraints thereof. One can replay as much data as one wants from a previous packet, but it should be noted that this cannot be done with packets that are encrypted. However this might be useful, as one could potentially end encrypted sessions to a third party by replaying their previous encrypted packet and changing the Message_ID field.

**Timeline**

2019-04-18 - Vendor Disclosure  
2019-05-20 - Vendor completed analysis  
2019-06-18 - Follow up with vendor  
2019-07-02 - 90 day notice; Vendor advised updates scheduled for release mid-July  
2019-07-18 - Vendor advised fix will release end of July and be tested in the field  
2019-07-26 - Extended disclosure date to 2019-08-15  
2019-08-19 - Public Release

Discovered by Lilith Wyatt and Claudio Bozzato of Cisco Talos.

CVE-2019-5040: TALOS-2019-0803 || Cisco Talos Intelligence Group

An exploitable denial-of-service vulnerability exists in the Weave certificate loading functionality of Nest Cam IQ Indoor camera, version 4620002. A specially crafted weave packet can cause an integer overflow and an out-of-bounds read on unmapped memory to occur, resulting in a denial of service. An attacker can send a specially crafted packet to trigger.

**Summary**

An exploitable denial-of-service vulnerability exists in the Weave certificate loading functionality of the Nest Cam IQ Indoor camera, version 4620002. A specially crafted weave packet can cause an integer overflow and an out-of-bounds read on unmapped memory to occur, resulting in a denial of service. An attacker can send a specially crafted packet to trigger this vulnerability.

**Tested Versions**

Nest Labs Nest Cam IQ Indoor version 4620002

**Product URLs**

https://store.nest.com/product/nest-cam-iq/NC3200US

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-190: Integer Overflow Or Wraparound

**Details**

The Nest Cam IQ Indoor is one of Nest Labs’ most expensive and advanced devices. The surveillance camera integrates with Google Assistant, contains facial recognition technology and even has the ability to act as an 6lowpan hub for other less powerful internet-of-things devices. The main protocol that is used for setup and initial communications of Nest devices is Weave, a protocol designed strictly for IoT devices, which can run over TCP, UDP, Bluetooth and 6lowpan.

Before going into the details of the bug itself, a quick overview of the Weave protocol and terminology is needed, so for brevity, here’s a packet dissection of a sample weave packet:

    --------TCP Message Layer-----------  //[1]
    Mesage_Length   : 0x0146
    Message Version : 0x1
    Message_Id      : 0x00000004
    Message_Flags   : 0x0300    : [ Dstnode|Srcnode ]
    Src_Node        : 0000000000000002
    Dst_Node        : 0000000000000001
    Encryption      : None
    --------Exchange Layer-----------    //[2]
    Exchange Ver|Flag   :  0x11       :  [ Initiator ]
    Exchange MsgType    :  0x1        : kMsgType_PASEInitiatorStep1 //[3]
    Exchange ExchangeID :  0x70e3
    Exchange ProfileID  :  0x00000004 : kWeaveProfile_Security  //[4]
    --------Data Layer-----------   //[5]
    kMsgType_PASEInitiatorStep1
    controlHeader: 0x8011213f
    sizeHeader: 0x01070e0e
    ProtocolConfig: 0x235a0004
    AltConfig[0]: 0x235a0001
    gx: 0xe, zkpxgr: 0xe, zkpxb: 0x7
    [...]
    

Weave messages consist of three layers: message, exchange and data. The message layer \[1\] and exchange layer \[2\] are both variable sized and consist of little-endian fields as listed above. The data layer \[5\] is strictly dependent on the MessageType \[3\] and ProfileId \[4\], and every combination thereof generally has a unique message structure, which can be seen from all the parsed fields below \[5\]. The ProfileID is fittingly used to determine which Weave “Profile” to talk with, and likewise, the MessageType is essentially the opcode for the given profile.

For the purposes of this writeup, let’s consider the MessageType kMsgType_CASEBeginSessionRequest. This request is what a client sends when it wants the maximum amount of permissions that one can get via Weave, and it allows access to all Weave requests that are included in the given device. Unlike PASE, which requires a simple 6-8 character pairing code, CASE authentication requires that one present a fully valid weave certificate chain to the device, and also that the certificate chain has a common root of trust to the Certificate Authorities that are currently configured on the device.

A sample CASEBeginSessionRequest looks as such:

    --------TCP Message Layer-----------
    Mesage_Length   : 0x01a7
    Message Version : 0x1
    Message_Id      : 0x0000000a
    Message_Flags   : 0x0200    : [ Srcnode ]
    Src_Node        : 0000000000000002
    Encryption      : None
    --------Exchange Layer-----------
    Exchange Ver|Flag   :  0x11       |  [ Initiator ]
    Exchange MsgType    :  0x0a       | kMsgType_CASEBeginSessionRequest
    Exchange ExchangeID :  0xbfd7
    Exchange ProfileID  :  0x00000004 | kWeaveProfile_Security
    --------Data Layer-----------
    kMsgType_CASEBeginSessionRequest
    controlHeader: 0x81  (32-bit KeyConfirm)
    AlternateConfigCount: 0x1
    AlternateCurveCount: 0x2
    ECDHPubKey_PointLen: 0x39
    CertInfoLength: 0xf8
    PayloadLength: 0x0
    ProtocolConfig: 0x235a0002
    CurveId: 0x235a0025
    SessionKeyId: 0x21e5
    AlternateConfigs[0]: 0x235a0001
    AlternateCurveIds[0]: 0x235a001b
    AlternateCurveIds[1]: 0x235a0025
    ECDHPubKey: // [8]
    \x04\x3d\xd5\x3d\x9d\xd9\xda\xca\x73\x13\xcf\xd8\x94\xc7\x54\xa1\x5f\x8e\x08\x2c\x56\x01\xee\x9a\xb3\x32\xee\xef\x16\x35\x93\x77\x2f\x59\xd6\x3f\xcb\x23\xa6\x0e\x6b\x1c\x95\x08\xca\x0f\x0e\xf7\xdc\x2c\x9b\x0f\x66\xb3\x32\x95\x07
    CertInfo: \x00\x35\x01\x30\x01\x08<insert weave certificate chain here>\x18\x18\x18\x95 //[6]
    Payload: <empty>
    Signature:  //[7] \x08\x00\x30\x01\x1c\x3c\x10\x7e\xb6\x8c\x8a\x37\x3d\x5c\x77\x33\x1b\x46\x02\x52\x30\x20\x45\x90\x2b\xa8\xb9\xde\x66\x39\x1c\x91\x27\x02\x1c\x51\x4c\x3a\x06\x64\x3c\x16\xa5\x53\x8f\xf0\x16\x4b\x32\xa1\x42\x94\x28\x6a\x52\x05\xa3\x2d\xd2\xd4\xd3\x43\x56\x18
    

Giving a summary of the process, the server will take the above client’s request, extract the certificate chain \[6\] and verify that there’s a common trust anchor somewhere along the way. After this, the server will verify that the message has been signed by the private key of the valid certificate by checking the DER encoded ECDSA signature located at \[7\]. Then, by using the client’s ephemeral ECDH public key \[8\] and their own ephemeral ECDH private key, the client and server will generate a shared secret of length 32.

At this point, it should be noted that CASE and PASE are the same process from here on (with the exception of the permissions granted). The shared secret will then be extended via HKDF in order to generate three different keys, a data key, an integrity key and also a KeyConfirmation key, which are then used for AES128CBC encryption and SHA256 hashing.

Turning back to the vulnerability itself, let us examine the parsing of the BeginCASESessionRequest:

    WEAVE_ERROR BeginSessionRequestMessage::DecodeHead(PacketBuffer *msgBuf){
    WEAVE_ERROR err = WEAVE_NO_ERROR;
    uint8_t *p = msgBuf->Start();
    uint16_t msgLen = msgBuf->DataLength(); // max ~1670
    uint16_t msgLenWithoutSig;
    uint8_t controlHeader;
    
    // Verify we can read the fixed length portion of the message without running into the end of the buffer.
    VerifyOrExit(msgLen > 18, err = WEAVE_ERROR_MESSAGE_INCOMPLETE);
    
    // Parse and decode the control header.
    controlHeader = *p++; // 1
    EncryptionType = controlHeader & kCASEHeader_EncryptionTypeMask;
    PerformKeyConfirm = ((controlHeader & kCASEHeader_PerformKeyConfirmFlag) != 0);
    VerifyOrExit((controlHeader & kCASEHeader_ControlHeaderUnusedBits) == 0, err = WEAVE_ERROR_INVALID_ARGUMENT);
    
    // Parse the alternate config count, alternate curve count and DH public key length.
    AlternateConfigCount = *p++;            
    VerifyOrExit(AlternateConfigCount <= kMaxAlternateProtocolConfigs, err = WEAVE_ERROR_INVALID_ARGUMENT);
    AlternateCurveCount = *p++;
    VerifyOrExit(AlternateCurveCount <= kMaxAlternateCurveIds, err = WEAVE_ERROR_INVALID_ARGUMENT);
    ECDHPublicKey.ECPointLen = *p++;             //[9]
    
    // Parse the certificate information length.
    CertInfoLength = LittleEndian::Read16(p);    //[10]
    
    // Parse the payload length.
    PayloadLength = LittleEndian::Read16(p);     //[11]
    
    // Parse the proposed protocol config.
    ProtocolConfig = LittleEndian::Read32(p); 
    
    // Parse the proposed curve id.
    CurveId = LittleEndian::Read32(p);
    
    // Parse the session key id.
    SessionKeyId = LittleEndian::Read16(p);
       
    // Verify the overall message length is consistent with the claimed field sizes.
    msgLenWithoutSig = HeadLength() + ECDHPublicKey.ECPointLen + CertInfoLength + PayloadLength; //[12]
    VerifyOrExit(msgLen > msgLenWithoutSig, err = WEAVE_ERROR_MESSAGE_INCOMPLETE);  //[13]
    

At \[9\], \[10\], and \[11\], we can see that we have full control of the ECDHPublicKey.ECPointlen, CertInfoLength, and Payload Length fields. Then, at \[12\], we can also see that these fields are added together into the msgLenWithoutSig variable, which is a uint_16, which causes us to be able to wrap around and bypass the check at \[13\]. So what does that give us?

    for (uint8_t i = 0; i < AlternateConfigCount; i++)           
         AlternateConfigs[i] = LittleEndian::Read32(p);
    
    // Parse the alternate curves list.
    for (uint8_t i = 0; i < AlternateCurveCount; i++)
        AlternateCurveIds[i] = LittleEndian::Read32(p); 
    
    // Save a pointer to the DH public key.
    ECDHPublicKey.ECPoint = p; //[14]
    p += ECDHPublicKey.ECPointLen; 
    
    // Save a pointer to the initiator's certificate information.
    CertInfo = p;  // [15]
    p += CertInfoLength; 
    
    // Save a pointer to the payload data.
    Payload = p;   // [16]
    p += PayloadLength; 
    
    // Save a pointer to the signature and compute the signature length.
    Signature = p;
    SignatureLength = msgLen - msgLenWithoutSig; 
    
    exit:
        return err;
    }
    

Turns out we can set the ECDHPublicKey.ECPoint to length of 0xFF, the CertInfo to length of 0xFFFF, and also the Payload length to 0xFFFF. Unfortunately, the only useful one of these options is setting the CertInfo to 0xFFFF, as the Payload is never used and only a fixed maximum of the ECPoint variable is used. This brings us to the WeaveCASEEngine::DecodeCertificateInfo function:

    WEAVE_ERROR WeaveCASEEngine::DecodeCertificateInfo(BeginSessionMessageBase& msg, WeaveCertificateSet& certSet,
                                                   WeaveDN& entityCertDN, CertificateKeyId& entityCertSubjectKeyId)
    {
        WEAVE_ERROR err;
        TLVReader reader;
        WeaveCertificateData *entityCert = NULL;
    
        // Begin decoding the certificate information structure.
        reader.Init(msg.CertInfo, msg.CertInfoLength);
    

By having our message’s CertInfoLength set to 0xFFFF, we can create a WeaveTLVReader with a maximum length of 0xFFFF, even though we normally would only ever have a maximum of the size of our current packet buffer (~0x62F). Continuing on in the function:

    err = reader.Next() //[21]	
    
    if (err == WEAVE_NO_ERROR && reader.GetTag() == ContextTag(kTag_CASECertificateInfo_EntityCertificate)) 
        {                                                                     
            // Load the authenticating entity's certificate into the certificate set.
            err = certSet.LoadCert(reader, kDecodeFlag_GenerateTBSHash, entityCert); //[17]
            SuccessOrExit(err);
    
            entityCertDN = entityCert->SubjectDN;
            entityCertSubjectKeyId = entityCert->SubjectKeyId;
    
            err = reader.Next();
        }
    
        // Look for the EntityCertificateRef element and fail if found.
        // NOTE: This version of the code does not support the use of certificate reference to identify the certificate.
        if (err == WEAVE_NO_ERROR && reader.GetTag() == ContextTag(kTag_CASECertificateInfo_EntityCertificateRef))
        {                                                                         
            ExitNow(err = WEAVE_ERROR_UNSUPPORTED_CERT_FORMAT); // TODO: use better error //[18]
        }
    
        // Look for the RelatedCertificates element. If found, load the contained certificates into the certificate set.
        if (err == WEAVE_NO_ERROR && reader.GetTag() == ContextTag(kTag_CASECertificateInfo_RelatedCertificates)) {
            err = certSet.LoadCerts(reader, kDecodeFlag_GenerateTBSHash);      
            SuccessOrExit(err); //[19]
    
            err = reader.Next();
        }
    
        // Skip the TrustAnchors element if present.  This represents information an initiator provides to the
        // responder about what certificates it trusts, allowing the responder to select an appropriate entity
        // certificate to respond with. This code assumes that the local node only has a single entity certificate,
        // and thus its that or nothing.
        if (err == WEAVE_NO_ERROR && reader.GetTag() == ContextTag(kTag_CASECertificateInfo_TrustAnchors))
        {                                                                      
            err = reader.Next();  //[20]
        }
    

As shown above, there are four different elements that get read in from the CertInfo field. At \[17\], the code tries to read in the Client’s certificate, and at \[19\] the code reads in the client’s Certificate Chain. Interestingly, the code at \[18\] and \[20\], are basically ignored elements. Even though the code at \[17\] and \[19\] are the most complex, the easiest way to actually exploit this bug is to go with code path \[20\]. At \[21\], we already advanced the WeaveTLVReader by one element, and at \[20\], we cause the WeaveTLVReader to skip over another element without ever processing to see if it was valid or not. Due to this, if we cause the reader.Next at \[20\] to skip over an element of rather large length (perhaps 0xFFE0), the reader will then advance its read pointer by this much.

Normally, a TLVReader is always bounded by the maximum length that it was initialized with, but due to the integer overflow inside of DecodeCertificateInfo, we can cause the TLVReader to advance to unmapped memory, causing a crash.

**Crash Information**

    Thread 10 "nldaemon" received signal SIGSEGV, Segmentation fault.
    ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????[ registers ]???$
    $x0       : 0x000000556d83cbea
    $x1       : 0x000000556d83cbea
    $x2       : 0x000000000000f000
    $x3       : 0x000000783827fb18  ?  0x0000007838499000  ?  0x00000078384f0000  ?  0x000000556d7aa1d8  ?  0x000000556d59c22c  ?  <nlWeaveCASEAuth::GetNodeCertInfo(bool,+0> sub sp,  sp,  #0x40
    $x4       : 0x000000783827f640  ?  0x000000783827f6b0  ?  0x000000783827f610  ?  0x0000000000000000
    $x5       : 0x000000783827f780  ?  0x000000783827fa00  ?  0x000000783827fb60  ?  0x000000783827fba0  ?  0x000000783827fcc0  ?  0x000000783827fd10  ?  0x000000783827fd80  ?  0x000000783827fe40
    $x6       : 0x000000783827f7d2  ?  0xf000000000783827 ("'8x"?)
    $x7       : 0x6966697472654365 ("eCertifi"?)
    $x8       : 0xaa45f89f34824c29
    $x9       : 0xaa45f89f34824c29
    $x10      : 0x0000000000000001
    $x11      : 0x00000000ffffffd8
    $x12      : 0x000000783827f610  ?  0x0000000000000000
    $x13      : 0x0000000000000000
    $x14      : 0x0000007839146358  ?  0x3736353433323130 ("01234567"?)
    $x15      : 0x0000000000000000
    $sp       : 0x000000783827f840  ?  0x000000783827f890  ?  0x000000783827f8c0  ?  0x000000783827f8f0  ?  0x000000783827f920  ?  0x000000783827f950  ?  0x000000783827fa00  ?  0x000000783827fb60
    $pc       : 0x000000556d6390a4  ?  <nl::Weave::TLV::TLVReader::ReadElement()+56> ldrb w0,  [x0]
    $cpsr     : [fast interrupt overflow CARRY ZERO negative]
    $fpsr     : 0x0000000000000010
    $fpcr     : 0x0000000000000000
    ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????[ stack ]????
    0x000000783827f840?+0x00: 0x000000783827f890  ?  0x000000783827f8c0  ?  0x000000783827f8f0  ?  0x000000783827f920  ?  0x000000783827f950  ?  0x000000783827fa00  ?  0x000000783827fb60   ? $sp
    0x000000783827f848?+0x08: 0x000000556d639048  ?  <nl::Weave::TLV::TLVReader::SkipToEndOfContainer()+220> str w0,  [x29, #32]
    0x000000783827f850?+0x10: 0x0000ffea6d59c570
    0x000000783827f858?+0x18: 0x000000783827f998  ?  0x3c3c1f7000000004
    0x000000783827f860?+0x20: 0x000000783827f890  ?  0x000000783827f8c0  ?  0x000000783827f8f0  ?  0x000000783827f920  ?  0x000000783827f950  ?  0x000000783827fa00  ?  0x000000783827fb60
    0x000000783827f868?+0x28: 0x000000556d639028  ?  <nl::Weave::TLV::TLVReader::SkipToEndOfContainer()+188> str w0,  [x29, #32]
    0x000000783827f870?+0x30: 0x000000e03827f890
    0x000000783827f878?+0x38: 0x000000783827f998  ?  0x3c3c1f7000000004
    ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????[ code:aarch64 ]????
       0x556d63908c <nl::Weave::TLV::TLVReader::ReadElement()+32> cmp    w0,  wzr
       0x556d639090 <nl::Weave::TLV::TLVReader::ReadElement()+36> b.eq   0x556d63909c <_ZN2nl5Weave3TLV9TLVReader11ReadElementEv+48>
       0x556d639094 <nl::Weave::TLV::TLVReader::ReadElement()+40> ldr    w0,  [x29, #76]
       0x556d639098 <nl::Weave::TLV::TLVReader::ReadElement()+44> b      0x556d6392ac <_ZN2nl5Weave3TLV9TLVReader11ReadElementEv+576>
       0x556d63909c <nl::Weave::TLV::TLVReader::ReadElement()+48> ldr    x0,  [x29, #24]
       0x556d6390a0 <nl::Weave::TLV::TLVReader::ReadElement()+52> ldr    x0,  [x0, #48]
     ? 0x556d6390a4 <nl::Weave::TLV::TLVReader::ReadElement()+56> ldrb   w0,  [x0]
       0x556d6390a8 <nl::Weave::TLV::TLVReader::ReadElement()+60> uxth   w1,  w0
       0x556d6390ac <nl::Weave::TLV::TLVReader::ReadElement()+64> ldr    x0,  [x29, #24]
       0x556d6390b0 <nl::Weave::TLV::TLVReader::ReadElement()+68> strh   w1,  [x0, #76]
       0x556d6390b4 <nl::Weave::TLV::TLVReader::ReadElement()+72> ldr    x0,  [x29, #24]
       0x556d6390b8 <nl::Weave::TLV::TLVReader::ReadElement()+76> bl     0x556d63986c <_ZNK2nl5Weave3TLV9TLVReader11ElementTypeEv>
    ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????[ trace ]????
    [#0] 0x556d6390a4 ? Name: nl::Weave::TLV::TLVReader::ReadElement()()...
    [#1] 0x556d639048 ? Name: nl::Weave::TLV::TLVReader::SkipToEndOfContainer()()...
    [#2] 0x556d638c5c ? Name: nl::Weave::TLV::TLVReader::ExitContainer(nl::Weave::TLV::TLVType)()...
    [#3] 0x556d638e7c ? Name: nl::Weave::TLV::TLVReader::Skip()()...
    [#4] 0x556d638d1c ? Name: nl::Weave::TLV::TLVReader::Next()()...
    [#5] 0x556d64b080 ? Name: nl::Weave::Profiles::Security::CASE::WeaveCASEEngine::DecodeCertificateInfo(nl::Weave::Pr...
    [#6] 0x556d64ab6c ? Name: nl::Weave::Profiles::Security::CASE::WeaveCASEEngine::VerifySignature(nl::Weave::Profiles...
    [#7] 0x556d649ac4 ? Name: nl::Weave::Profiles::Security::CASE::WeaveCASEEngine::ProcessBeginSessionRequest(nl::Weav...
    ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    0x000000556d6390a4 in nl::Weave::TLV::TLVReader::ReadElement() ()
    <(^_^)> info reg x0
    x0             0x556d83cbea     0x556d83cbea
    <(^_^)> x/10gx $x0
    0x556d83cbea:   Cannot access memory at address 0x556d83cbea
    

**Timeline**

2019-04-18 - Vendor Disclosure  
2019-05-20 - Vendor completed analysis  
2019-06-18 - Follow up with vendor  
2019-07-02 - 90 day notice; Vendor advised updates scheduled for release mid-July  
2019-07-18 - Vendor advised fix will release end of July and be tested in the field  
2019-07-26 - Extended disclosure date to 2019-08-15  
2019-08-19 - Public Release

Discovered by Lilith Wyatt and Claudio Bozzato of Cisco Talos.

Tag

#google