CVE-2018-18068 - OpenCVE

The ARM-based hardware debugging feature on Raspberry Pi 3 module B+ and possibly other devices allows non-secure EL1 code to read/write any EL3 (the highest privilege level in ARMv8) memory/register via inter-processor debugging. With a debug host processor A running in non-secure EL1 and a debug target processor B running in any privilege level, the debugging feature allows A to halt B and promote B to any privilege level. As a debug host, A has full control of B even if B owns a higher privilege level than A. Accordingly, A can read/write any EL3 memory/register via B. Also, with this memory access, A can execute arbitrary code in EL3.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Raspberrypi	Raspberry Pi 3 Model B\+ Raspberry Pi 3 Model B\+ Firmware

Configuration 1 [-]

AND

cpe:2.3:h:raspberrypi:raspberry_pi_3_model_b\+:-:*:*:*:*:*:*:*

cpe:2.3:o:raspberrypi:raspberry_pi_3_model_b\+_firmware:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.cs.wayne.edu/fengwei/paper/nailgun-sp19.pdf
https://www.computer.org/csdl/proceedings-article/sp/2019/666000b157/17D45WHONhv

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-04-04T19:13:46

Updated: 2024-08-05T11:01:14.911Z

Reserved: 2018-10-08T00:00:00

Link: CVE-2018-18068

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-04-04T20:29:00.220

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-18068

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-01-28T00:00:00", "descriptions": [{"lang": "en", "value": "The ARM-based hardware debugging feature on Raspberry Pi 3 module B+ and possibly other devices allows non-secure EL1 code to read/write any EL3 (the highest privilege level in ARMv8) memory/register via inter-processor debugging. With a debug host processor A running in non-secure EL1 and a debug target processor B running in any privilege level, the debugging feature allows A to halt B and promote B to any privilege level. As a debug host, A has full control of B even if B owns a higher privilege level than A. Accordingly, A can read/write any EL3 memory/register via B. Also, with this memory access, A can execute arbitrary code in EL3."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-04-04T19:13:46", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.computer.org/csdl/proceedings-article/sp/2019/666000b157/17D45WHONhv"}, {"tags": ["x_refsource_MISC"], "url": "http://www.cs.wayne.edu/fengwei/paper/nailgun-sp19.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-18068", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The ARM-based hardware debugging feature on Raspberry Pi 3 module B+ and possibly other devices allows non-secure EL1 code to read/write any EL3 (the highest privilege level in ARMv8) memory/register via inter-processor debugging. With a debug host processor A running in non-secure EL1 and a debug target processor B running in any privilege level, the debugging feature allows A to halt B and promote B to any privilege level. As a debug host, A has full control of B even if B owns a higher privilege level than A. Accordingly, A can read/write any EL3 memory/register via B. Also, with this memory access, A can execute arbitrary code in EL3."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.computer.org/csdl/proceedings-article/sp/2019/666000b157/17D45WHONhv", "refsource": "MISC", "url": "https://www.computer.org/csdl/proceedings-article/sp/2019/666000b157/17D45WHONhv"}, {"name": "http://www.cs.wayne.edu/fengwei/paper/nailgun-sp19.pdf", "refsource": "MISC", "url": "http://www.cs.wayne.edu/fengwei/paper/nailgun-sp19.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:01:14.911Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.computer.org/csdl/proceedings-article/sp/2019/666000b157/17D45WHONhv"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.cs.wayne.edu/fengwei/paper/nailgun-sp19.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-18068", "datePublished": "2019-04-04T19:13:46", "dateReserved": "2018-10-08T00:00:00", "dateUpdated": "2024-08-05T11:01:14.911Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:raspberrypi:raspberry_pi_3_model_b\\+:-:*:*:*:*:*:*:*", "matchCriteriaId": "05303822-9252-471C-9209-7DBB593A3874", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:raspberrypi:raspberry_pi_3_model_b\\+_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "2C0914D7-A1AE-42A4-B8D3-DAD85DB4CA13", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ARM-based hardware debugging feature on Raspberry Pi 3 module B+ and possibly other devices allows non-secure EL1 code to read/write any EL3 (the highest privilege level in ARMv8) memory/register via inter-processor debugging. With a debug host processor A running in non-secure EL1 and a debug target processor B running in any privilege level, the debugging feature allows A to halt B and promote B to any privilege level. As a debug host, A has full control of B even if B owns a higher privilege level than A. Accordingly, A can read/write any EL3 memory/register via B. Also, with this memory access, A can execute arbitrary code in EL3."}, {"lang": "es", "value": "La funcionalidad de depuraci\u00f3n de hardware basada en ARM en el m\u00f3dulo B+ de Raspberry Pi 3 y, posiblemente otros dispositivos, permite que un c\u00f3digo EL1 inseguro lea/escriba cualquier memoria/registro EL3 (el nivel de privilegios m\u00e1s alto en ARMv8) mediante un proceso de depuraci\u00f3n de interprocesador. Con un procesador de depuraci\u00f3n host \"A\" que opera con c\u00f3digo EL1 inseguro y un procesador de depuraci\u00f3n objetivo B que opera con cualquier nivel de privilegios, la funcionalidad de depuraci\u00f3n permite a \"A\" detener \"B\" y asciende \"B\" a cualquier nivel de privilegios. Como host de depuraci\u00f3n, A tiene el control total sobre B aunque B posee a nivel de privilegios m\u00e1s alto que A. Por consiguiente, A puede leer/escribir cualquier memoria/registro EL3 a trav\u00e9s de B. Asimismo, con este acceso a la memoria, A puede ejecutar c\u00f3digo arbitrario en EL3 tambi\u00e9n."}], "id": "CVE-2018-18068", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-04T20:29:00.220", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "http://www.cs.wayne.edu/fengwei/paper/nailgun-sp19.pdf"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.computer.org/csdl/proceedings-article/sp/2019/666000b157/17D45WHONhv"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}]}