CVE-2024-6564 - OpenCVE

Buffer overflow in "rcar_dev_init" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Renesas	Arm-trusted-firmware

Configuration 1 [-]

cpe:2.3:o:renesas:arm-trusted-firmware:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://asrg.io/security-advisories/cve-2024-6564/
https://github.com/renesas-rcar/arm-trusted-firmware/commit/c9fb3558410032d2660c7f3b7d4b87dec09fe2f2

History

Thu, 22 Aug 2024 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Renesas Renesas arm-trusted-firmware
CPEs	cpe:2.3:o:rensas:arm-trusted-firmware:-:::::::*	cpe:2.3:o:renesas:arm-trusted-firmware:-:::::::*
Vendors & Products	Rensas Rensas arm-trusted-firmware	Renesas Renesas arm-trusted-firmware

MITRE

Status: PUBLISHED

Assigner: ASRG

Published: 2024-07-08T15:18:17.265Z

Updated: 2024-08-01T21:41:03.762Z

Reserved: 2024-07-08T15:06:44.987Z

Link: CVE-2024-6564

Vulnrichment

Updated: 2024-08-01T21:41:03.762Z

NVD

Status : Analyzed

Published: 2024-07-08T16:15:09.423

Modified: 2024-08-22T15:52:05.033

Link: CVE-2024-6564

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6564", "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "state": "PUBLISHED", "assignerShortName": "ASRG", "dateReserved": "2024-07-08T15:06:44.987Z", "datePublished": "2024-07-08T15:18:17.265Z", "dateUpdated": "2024-08-01T21:41:03.762Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "arm-trusted-firmware", "product": "rcar_gen3_v2.5", "programFiles": ["https://github.com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.c"], "repo": "https://github.com/renesas-rcar/arm-trusted-firmware/", "vendor": "Renesas", "versions": [{"lessThanOrEqual": "c9fb3558410032d2660c7f3b7d4b87dec09fe2f2", "status": "affected", "version": "c2f286820471ed276c57e603762bd831873e5a17", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tomer Fichman"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Buffer overflow in \"rcar_dev_init\" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.</span><br>"}], "value": "Buffer overflow in \"rcar_dev_init\" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot."}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "shortName": "ASRG", "dateUpdated": "2024-07-08T15:20:00.212Z"}, "references": [{"url": "https://github.com/renesas-rcar/arm-trusted-firmware/commit/c9fb3558410032d2660c7f3b7d4b87dec09fe2f2"}, {"tags": ["third-party-advisory"], "url": "https://asrg.io/security-advisories/cve-2024-6564/"}], "source": {"discovery": "UNKNOWN"}, "title": "Buffer overflow in Rensas RCAR", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "renesas", "product": "rcar_gen3_v2.5", "cpes": ["cpe:2.3:a:renesas:rcar_gen3_v2.5:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "c2f286820471ed276c57e603762bd831873e5a17", "status": "affected", "lessThanOrEqual": "c9fb3558410032d2660c7f3b7d4b87dec09fe2f2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-09T15:14:13.300448Z", "id": "CVE-2024-6564", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T15:17:54.446Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.762Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/renesas-rcar/arm-trusted-firmware/commit/c9fb3558410032d2660c7f3b7d4b87dec09fe2f2", "tags": ["x_transferred"]}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://asrg.io/security-advisories/cve-2024-6564/"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/renesas-rcar/arm-trusted-firmware/commit/c9fb3558410032d2660c7f3b7d4b87dec09fe2f2", "tags": ["x_transferred"]}, {"url": "https://asrg.io/security-advisories/cve-2024-6564/", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.762Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6564", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-09T15:14:13.300448Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:renesas:rcar_gen3_v2.5:*:*:*:*:*:*:*:*"], "vendor": "renesas", "product": "rcar_gen3_v2.5", "versions": [{"status": "affected", "version": "c2f286820471ed276c57e603762bd831873e5a17", "versionType": "custom", "lessThanOrEqual": "c9fb3558410032d2660c7f3b7d4b87dec09fe2f2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T15:17:48.731Z"}}], "cna": {"title": "Buffer overflow in Rensas RCAR", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tomer Fichman"}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/renesas-rcar/arm-trusted-firmware/", "vendor": "Renesas", "product": "rcar_gen3_v2.5", "versions": [{"status": "affected", "version": "c2f286820471ed276c57e603762bd831873e5a17", "versionType": "git", "lessThanOrEqual": "c9fb3558410032d2660c7f3b7d4b87dec09fe2f2"}], "packageName": "arm-trusted-firmware", "programFiles": ["https://github.com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.c"], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/renesas-rcar/arm-trusted-firmware/commit/c9fb3558410032d2660c7f3b7d4b87dec09fe2f2"}, {"url": "https://asrg.io/security-advisories/cve-2024-6564/", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Buffer overflow in \"rcar_dev_init\" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Buffer overflow in \"rcar_dev_init\" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "shortName": "ASRG", "dateUpdated": "2024-07-08T15:20:00.212Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6564", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:41:03.762Z", "dateReserved": "2024-07-08T15:06:44.987Z", "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "datePublished": "2024-07-08T15:18:17.265Z", "assignerShortName": "ASRG"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:renesas:arm-trusted-firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "16A2BDC3-F664-4132-8148-9DB849240F8B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Buffer overflow in \"rcar_dev_init\" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot."}, {"lang": "es", "value": "Desbordamiento del b\u00fafer en \"rcar_dev_init\" debido al uso de datos que no son de confianza (rcar_image_number) como contador de bucle antes de verificarlo con RCAR_MAX_BL3X_IMAGE. Esto podr\u00eda provocar una omisi\u00f3n total del arranque seguro."}], "id": "CVE-2024-6564", "lastModified": "2024-08-22T15:52:05.033", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "cve@asrg.io", "type": "Secondary"}]}, "published": "2024-07-08T16:15:09.423", "references": [{"source": "cve@asrg.io", "tags": ["Third Party Advisory"], "url": "https://asrg.io/security-advisories/cve-2024-6564/"}, {"source": "cve@asrg.io", "tags": ["Patch"], "url": "https://github.com/renesas-rcar/arm-trusted-firmware/commit/c9fb3558410032d2660c7f3b7d4b87dec09fe2f2"}], "sourceIdentifier": "cve@asrg.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-120"}], "source": "cve@asrg.io", "type": "Secondary"}]}