{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-48985", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-11-20T20:04:18.509336", "dateReserved": "2024-10-11T00:00:00", "datePublished": "2024-11-20T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-11-20T20:04:18.509336"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in MBed OS 6.16.0. During processing of HCI packets, the software dynamically determines the length of the packet data by reading 2 bytes from the packet data. A buffer is then allocated to contain the entire packet, the size of which is calculated as the length of the packet body determined earlier and the header length. If the allocate fails because the specified packet is too large, no exception handling occurs and hciTrSerialRxIncoming continues to write bytes into the 4-byte large temporary header buffer, leading to a buffer overflow. This can be leveraged into an arbitrary write by an attacker. It is possible to overwrite the pointer to the buffer that is supposed to receive the contents of the packet body but which couldn't be allocated. One can then overwrite the state variable used by the function to determine which step of the parsing process is currently being executed. This advances the function to the next state, where it proceeds to copy data to that arbitrary location. The packet body is then written wherever the corrupted data pointer is pointing."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/mbed-ce/mbed-os/blob/54e8693ef4ff7e025018094f290a1d5cf380941f/connectivity/FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c#L200"}, {"url": "https://github.com/mbed-ce/mbed-os/pull/384"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:arm:mbed:6.16.0:*:*:*:*:*:*:*", "matchCriteriaId": "C9CE74E6-6FC6-4507-A9EE-F74B3E02FCB8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in MBed OS 6.16.0. During processing of HCI packets, the software dynamically determines the length of the packet data by reading 2 bytes from the packet data. A buffer is then allocated to contain the entire packet, the size of which is calculated as the length of the packet body determined earlier and the header length. If the allocate fails because the specified packet is too large, no exception handling occurs and hciTrSerialRxIncoming continues to write bytes into the 4-byte large temporary header buffer, leading to a buffer overflow. This can be leveraged into an arbitrary write by an attacker. It is possible to overwrite the pointer to the buffer that is supposed to receive the contents of the packet body but which couldn't be allocated. One can then overwrite the state variable used by the function to determine which step of the parsing process is currently being executed. This advances the function to the next state, where it proceeds to copy data to that arbitrary location. The packet body is then written wherever the corrupted data pointer is pointing."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en MBed OS 6.16.0. Durante el procesamiento de paquetes HCI, el software determina din\u00e1micamente la longitud de los datos del paquete leyendo 2 bytes de los datos del paquete. Luego se asigna un b\u00fafer para contener el paquete completo, cuyo tama\u00f1o se calcula como la longitud del cuerpo del paquete determinado anteriormente y la longitud del encabezado. Si la asignaci\u00f3n falla porque el paquete especificado es demasiado grande, no se produce ning\u00fan manejo de excepciones y hciTrSerialRxIncoming contin\u00faa escribiendo bytes en el b\u00fafer de encabezado temporal de 4 bytes, lo que genera un desbordamiento del b\u00fafer. Un atacante puede aprovechar esto para realizar una escritura arbitraria. Es posible sobrescribir el puntero al b\u00fafer que se supone que debe recibir el contenido del cuerpo del paquete pero que no se pudo asignar. Luego, se puede sobrescribir la variable de estado utilizada por la funci\u00f3n para determinar qu\u00e9 paso del proceso de an\u00e1lisis se est\u00e1 ejecutando actualmente. Esto hace avanzar la funci\u00f3n al siguiente estado, donde procede a copiar datos a esa ubicaci\u00f3n arbitraria. Luego, el cuerpo del paquete se escribe dondequiera que apunte el puntero de datos da\u00f1ado."}], "id": "CVE-2024-48985", "lastModified": "2024-11-22T17:19:54.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-11-20T20:15:19.270", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/mbed-ce/mbed-os/blob/54e8693ef4ff7e025018094f290a1d5cf380941f/connectivity/FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c#L200"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://github.com/mbed-ce/mbed-os/pull/384"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}