{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39274", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:00:43.291Z", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-10-06T00:00:00"}, "containers": {"cna": {"title": "Buffer Overflow in `ProcessRadioRxDone` in LoRaMac-node", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "LoRaMac-node is a reference implementation and documentation of a LoRa network node. Versions of LoRaMac-node prior to 4.7.0 are vulnerable to a buffer overflow. Improper size validation of the incoming radio frames can lead to an 65280-byte out-of-bounds write. The function `ProcessRadioRxDone` implicitly expects incoming radio frames to have at least a payload of one byte or more. An empty payload leads to a 1-byte out-of-bounds read of user controlled content when the payload buffer is reused. This allows an attacker to craft a FRAME_TYPE_PROPRIETARY frame with size -1 which results in an 65280-byte out-of-bounds memcopy likely with partially controlled attacker data. Corrupting a large part if the data section is likely to cause a DoS. If the large out-of-bounds write does not immediately crash the attacker may gain control over the execution due to now controlling large parts of the data section. Users are advised to upgrade either by updating their package or by manually applying the patch commit `e851b079`."}], "affected": [{"vendor": "Lora-net", "product": "LoRaMac-node", "versions": [{"version": "< 4.7.0", "status": "affected"}]}], "references": [{"url": "https://github.com/Lora-net/LoRaMac-node/security/advisories/GHSA-7vv8-73pc-63c2"}, {"url": "https://github.com/Lora-net/LoRaMac-node/commit/e851b079c82ba1bcf3f4d291ab69a571b0bf458a"}, {"url": "https://github.com/Lora-net/LoRaMac-node/releases/tag/v4.7.0"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "cweId": "CWE-120"}]}], "source": {"advisory": "GHSA-7vv8-73pc-63c2", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.291Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/Lora-net/LoRaMac-node/security/advisories/GHSA-7vv8-73pc-63c2", "tags": ["x_transferred"]}, {"url": "https://github.com/Lora-net/LoRaMac-node/commit/e851b079c82ba1bcf3f4d291ab69a571b0bf458a", "tags": ["x_transferred"]}, {"url": "https://github.com/Lora-net/LoRaMac-node/releases/tag/v4.7.0", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:semtech:loramac-node:*:*:*:*:*:*:*:*", "matchCriteriaId": "56397603-5EB1-4482-8FE6-2C606C7D2026", "versionEndExcluding": "4.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LoRaMac-node is a reference implementation and documentation of a LoRa network node. Versions of LoRaMac-node prior to 4.7.0 are vulnerable to a buffer overflow. Improper size validation of the incoming radio frames can lead to an 65280-byte out-of-bounds write. The function `ProcessRadioRxDone` implicitly expects incoming radio frames to have at least a payload of one byte or more. An empty payload leads to a 1-byte out-of-bounds read of user controlled content when the payload buffer is reused. This allows an attacker to craft a FRAME_TYPE_PROPRIETARY frame with size -1 which results in an 65280-byte out-of-bounds memcopy likely with partially controlled attacker data. Corrupting a large part if the data section is likely to cause a DoS. If the large out-of-bounds write does not immediately crash the attacker may gain control over the execution due to now controlling large parts of the data section. Users are advised to upgrade either by updating their package or by manually applying the patch commit `e851b079`."}, {"lang": "es", "value": "LoRaMac-node es una implementaci\u00f3n de referencia y documentaci\u00f3n de un nodo de red LoRa. Las versiones de LoRaMac-node anteriores a 4.7.0 son vulnerables a un desbordamiento del b\u00fafer. Una comprobaci\u00f3n inapropiada del tama\u00f1o de las tramas de radio entrantes puede conllevar a una escritura de 65280 bytes fuera de l\u00edmites. La funci\u00f3n \"ProcessRadioRxDone\" espera impl\u00edcitamente que las tramas de radio entrantes tengan al menos una carga \u00fatil de un byte o m\u00e1s. Una carga \u00fatil vac\u00eda conlleva una lectura de 1 byte fuera de l\u00edmites del contenido controlado por el usuario cuando es reusado el b\u00fafer de carga \u00fatil. Esto permite a un atacante dise\u00f1ar una trama FRAME_TYPE_PROPRIETARY de tama\u00f1o -1, lo que resulta en una copia de memoria de 65280 bytes fuera de l\u00edmites, probablemente con datos parcialmente controlados por el atacante. Corromper una gran parte de la secci\u00f3n de datos puede causar un DoS. Si la gran escritura fuera de l\u00edmites no es bloqueada inmediatamente, el atacante puede conseguir el control de la ejecuci\u00f3n debido a que ahora controla grandes partes de la secci\u00f3n de datos. Es recomendado a usuarios actualizar su paquete o que apliquen manualmente el parche commit \"e851b079\""}], "id": "CVE-2022-39274", "lastModified": "2023-06-27T18:44:14.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-10-06T18:16:16.103", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Lora-net/LoRaMac-node/commit/e851b079c82ba1bcf3f4d291ab69a571b0bf458a"}, {"source": "security-advisories@github.com", "tags": ["Broken Link", "Third Party Advisory"], "url": "https://github.com/Lora-net/LoRaMac-node/releases/tag/v4.7.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Lora-net/LoRaMac-node/security/advisories/GHSA-7vv8-73pc-63c2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-193"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-120"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}