1.. _vulnerabilities:
2
3Vulnerabilities
4###############
5
6This page collects all of the vulnerabilities that are discovered and
7fixed in each release.  It will also often have more details than is
8available in the releases.  Some vulnerabilities are deemed to be
9sensitive, and will not be publicly discussed until there is
10sufficient time to fix them.  Because the release notes are locked to
11a version, the information here can be updated after the embargo is
12lifted.
13
14CVE-2017
15========
16
17CVE-2017-14199
18--------------
19
20Buffer overflow in :code:`getaddrinfo()`.
21
22- `CVE-2017-14199 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14199>`_
23
24- `Zephyr project bug tracker ZEPSEC-12
25  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-12>`_
26
27- `PR6158 fix for 1.11.0
28  <https://github.com/zephyrproject-rtos/zephyr/pull/6158>`_
29
30CVE-2017-14201
31--------------
32
33The shell DNS command can cause unpredictable results due to misuse of
34stack variables.
35
36Use After Free vulnerability in the Zephyr shell allows a serial or
37telnet connected user to cause denial of service, and possibly remote
38code execution.
39
40This has been fixed in release v1.14.0.
41
42- `CVE-2017-14201 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14201>`_
43
44- `Zephyr project bug tracker ZEPSEC-17
45  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-17>`_
46
47- `PR13260 fix for v1.14.0
48  <https://github.com/zephyrproject-rtos/zephyr/pull/13260>`_
49
50CVE-2017-14202
51--------------
52
53The shell implementation does not protect against buffer overruns
54resulting in unpredictable behavior.
55
56Improper Restriction of Operations within the Bounds of a Memory
57Buffer vulnerability in the shell component of Zephyr allows a serial
58or telnet connected user to cause a crash, possibly with arbitrary
59code execution.
60
61This has been fixed in release v1.14.0.
62
63- `CVE-2017-14202 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14202>`_
64
65- `Zephyr project bug tracker ZEPSEC-18
66  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-18>`_
67
68- `PR13048 fix for v1.14.0
69  <https://github.com/zephyrproject-rtos/zephyr/pull/13048>`_
70
71CVE-2019
72========
73
74CVE-2019-9506
75-------------
76
77The Bluetooth BR/EDR specification up to and including version 5.1
78permits sufficiently low encryption key length and does not prevent an
79attacker from influencing the key length negotiation. This allows
80practical brute-force attacks (aka "KNOB") that can decrypt traffic
81and inject arbitrary ciphertext without the victim noticing.
82
83- `CVE-2019-9506 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9506>`_
84
85- `Zephyr project bug tracker ZEPSEC-20
86  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-20>`_
87
88- `PR18702 fix for v1.14.0
89  <https://github.com/zephyrproject-rtos/zephyr/pull/18702>`_
90
91- `PR18659 fix for v2.0.0
92  <https://github.com/zephyrproject-rtos/zephyr/pull/18659>`_
93
94CVE-2020
95========
96
97CVE-2020-10019
98--------------
99
100Buffer Overflow vulnerability in USB DFU of zephyr allows a USB
101connected host to cause possible remote code execution.
102
103This has been fixed in releases v1.14.2, v2.2.0, and v2.1.1.
104
105- `CVE-2020-10019 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10019>`_
106
107- `Zephyr project bug tracker ZEPSEC-25
108  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-25>`_
109
110- `PR23460 fix for 1.14.x
111  <https://github.com/zephyrproject-rtos/zephyr/pull/23460>`_
112
113- `PR23457 fix for 2.1.x
114  <https://github.com/zephyrproject-rtos/zephyr/pull/23457>`_
115
116- `PR23190 fix in 2.2.0
117  <https://github.com/zephyrproject-rtos/zephyr/pull/23190>`_
118
119CVE-2020-10021
120--------------
121
122Out-of-bounds write in USB Mass Storage with unaligned sizes
123
124Out-of-bounds Write in the USB Mass Storage memoryWrite handler with
125unaligned Sizes.
126
127See NCC-ZEP-024, NCC-ZEP-025, NCC-ZEP-026
128
129This has been fixed in releases v1.14.2, and v2.2.0.
130
131- `CVE-2020-10021 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10021>`_
132
133- `Zephyr project bug tracker ZEPSEC-26
134  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-26>`_
135
136- `PR23455 fix for v1.14.2
137  <https://github.com/zephyrproject-rtos/zephyr/pull/23455>`_
138
139- `PR23456 fix for the v2.1 branch
140  <https://github.com/zephyrproject-rtos/zephyr/pull/23456>`_
141
142- `PR23240 fix for v2.2.0
143  <https://github.com/zephyrproject-rtos/zephyr/pull/23240>`_
144
145CVE-2020-10022
146--------------
147
148UpdateHub Module Copies a Variable-Size Hash String Into a Fixed-Size Array
149
150A malformed JSON payload that is received from an UpdateHub server may
151trigger memory corruption in the Zephyr OS. This could result in a
152denial of service in the best case, or code execution in the worst
153case.
154
155See NCC-ZEP-016
156
157This has been fixed in the below pull requests for main, branch from
158v2.1.0, and branch from v2.2.0.
159
160- `CVE-2020-10022 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10022>`_
161
162- `Zephyr project bug tracker ZEPSEC-28
163  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-28>`_
164
165- `PR24154 fix for main
166  <https://github.com/zephyrproject-rtos/zephyr/pull/24154>`_
167
168- `PR24065 fix for branch from v2.1.0
169  <https://github.com/zephyrproject-rtos/zephyr/pull/24065>`_
170
171- `PR24066 fix for branch from v2.2.0
172  <https://github.com/zephyrproject-rtos/zephyr/pull/24066>`_
173
174CVE-2020-10023
175--------------
176
177Shell Subsystem Contains a Buffer Overflow Vulnerability In
178shell_spaces_trim
179
180The shell subsystem contains a buffer overflow, whereby an adversary
181with physical access to the device is able to cause a memory
182corruption, resulting in denial of service or possibly code execution
183within the Zephyr kernel.
184
185See NCC-ZEP-019
186
187This has been fixed in releases v1.14.2, v2.2.0, and in a branch from
188v2.1.0,
189
190- `CVE-2020-10023 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10023>`_
191
192- `Zephyr project bug tracker ZEPSEC-29
193  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-29>`_
194
195- `PR23646 fix for v1.14.2
196  <https://github.com/zephyrproject-rtos/zephyr/pull/23646>`_
197
198- `PR23649 fix for branch from v2.1.0
199  <https://github.com/zephyrproject-rtos/zephyr/pull/23649>`_
200
201- `PR23304 fix for v2.2.0
202  <https://github.com/zephyrproject-rtos/zephyr/pull/23304>`_
203
204CVE-2020-10024
205--------------
206
207ARM Platform Uses Signed Integer Comparison When Validating Syscall
208Numbers
209
210The arm platform-specific code uses a signed integer comparison when
211validating system call numbers. An attacker who has obtained code
212execution within a user thread is able to elevate privileges to that
213of the kernel.
214
215See NCC-ZEP-001
216
217This has been fixed in releases v1.14.2, and v2.2.0, and in a branch
218from v2.1.0,
219
220- `CVE-2020-10024 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10024>`_
221
222- `Zephyr project bug tracker ZEPSEC-30
223  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-30>`_
224
225- `PR23535 fix for v1.14.2
226  <https://github.com/zephyrproject-rtos/zephyr/pull/23535>`_
227
228- `PR23498 fix for branch from v2.1.0
229  <https://github.com/zephyrproject-rtos/zephyr/pull/23498>`_
230
231- `PR23323 fix for v2.2.0
232  <https://github.com/zephyrproject-rtos/zephyr/pull/23323>`_
233
234CVE-2020-10027
235--------------
236
237ARC Platform Uses Signed Integer Comparison When Validating Syscall
238Numbers
239
240An attacker who has obtained code execution within a user thread is
241able to elevate privileges to that of the kernel.
242
243See NCC-ZEP-001
244
245This has been fixed in releases v1.14.2, and v2.2.0, and in a branch
246from v2.1.0.
247
248- `CVE-2020-10027 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10027>`_
249
250- `Zephyr project bug tracker ZEPSEC-35
251  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-35>`_
252
253- `PR23500 fix for v1.14.2
254  <https://github.com/zephyrproject-rtos/zephyr/pull/23500>`_
255
256- `PR23499 fix for branch from v2.1.0
257  <https://github.com/zephyrproject-rtos/zephyr/pull/23499>`_
258
259- `PR23328 fix for v2.2.0
260  <https://github.com/zephyrproject-rtos/zephyr/pull/23328>`_
261
262CVE-2020-10028
263--------------
264
265Multiple Syscalls In GPIO Subsystem Performs No Argument Validation
266
267Multiple syscalls with insufficient argument validation
268
269See NCC-ZEP-006
270
271This has been fixed in releases v1.14.2, and v2.2.0, and in a branch
272from v2.1.0.
273
274- `CVE-2020-10028 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10028>`_
275
276- `Zephyr project bug tracker ZEPSEC-32
277  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-32>`_
278
279- `PR23733 fix for v1.14.2
280  <https://github.com/zephyrproject-rtos/zephyr/pull/23733>`_
281
282- `PR23737 fix for branch from v2.1.0
283  <https://github.com/zephyrproject-rtos/zephyr/pull/23737>`_
284
285- `PR23308 fix for v2.2.0 (gpio patch)
286  <https://github.com/zephyrproject-rtos/zephyr/pull/23308>`_
287
288CVE-2020-10058
289--------------
290
291Multiple Syscalls In kscan Subsystem Performs No Argument Validation
292
293Multiple syscalls in the Kscan subsystem perform insufficient argument
294validation, allowing code executing in userspace to potentially gain
295elevated privileges.
296
297See NCC-ZEP-006
298
299This has been fixed in a branch from v2.1.0, and release v2.2.0.
300
301- `CVE-2020-10058 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10058>`_
302
303- `Zephyr project bug tracker ZEPSEC-34
304  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-34>`_
305
306- `PR23748 fix for branch from v2.1.0
307  <https://github.com/zephyrproject-rtos/zephyr/pull/23748>`_
308
309- `PR23308 fix for v2.2.0 (kscan patch)
310  <https://github.com/zephyrproject-rtos/zephyr/pull/23308>`_
311
312CVE-2020-10059
313--------------
314
315UpdateHub Module Explicitly Disables TLS Verification
316
317The UpdateHub module disables DTLS peer checking, which allows for a
318man in the middle attack. This is mitigated by firmware images
319requiring valid signatures. However, there is no benefit to using DTLS
320without the peer checking.
321
322See NCC-ZEP-018
323
324This has been fixed in a PR against Zephyr main.
325
326- `CVE-2020-10059 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10059>`_
327
328- `Zephyr project bug tracker ZEPSEC-36
329  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-36>`_
330
331- `PR24954 fix on main (to be fixed in v2.3.0)
332  <https://github.com/zephyrproject-rtos/zephyr/pull/24954>`_
333
334- `PR24954 fix v2.1.0
335  <https://github.com/zephyrproject-rtos/zephyr/pull/24999>`_
336
337- `PR24954 fix v2.2.0
338  <https://github.com/zephyrproject-rtos/zephyr/pull/24997>`_
339
340CVE-2020-10060
341--------------
342
343UpdateHub Might Dereference An Uninitialized Pointer
344
345In updatehub_probe, right after JSON parsing is complete, objects\[1]
346is accessed from the output structure in two different places. If the
347JSON contained less than two elements, this access would reference
348unitialized stack memory. This could result in a crash, denial of
349service, or possibly an information leak.
350
351Recommend disabling updatehub until such a time as a fix can be made
352available.
353
354See NCC-ZEP-030
355
356This has been fixed in a PR against Zephyr main.
357
358- `CVE-2020-10060 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10060>`_
359
360- `Zephyr project bug tracker ZEPSEC-37
361  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-37>`_
362
363- `PR27865 fix on main (to be fixed in v2.4.0)
364  <https://github.com/zephyrproject-rtos/zephyr/pull/27865>`_
365
366- `PR27865 fix for v2.3.0
367  <https://github.com/zephyrproject-rtos/zephyr/pull/27889>`_
368
369- `PR27865 fix for v2.2.0
370  <https://github.com/zephyrproject-rtos/zephyr/pull/27891>`_
371
372- `PR27865 fix for v2.1.0
373  <https://github.com/zephyrproject-rtos/zephyr/pull/27893>`_
374
375CVE-2020-10061
376--------------
377
378Error handling invalid packet sequence
379
380Improper handling of the full-buffer case in the Zephyr Bluetooth
381implementation can result in memory corruption.
382
383This has been fixed in branches for v1.14.0, v2.2.0, and will be
384included in v2.3.0.
385
386- `CVE-2020-10061 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10061>`_
387
388- `Zephyr project bug tracker ZEPSEC-75
389  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-75>`_
390
391- `PR23516 fix for v2.3 (split driver)
392  <https://github.com/zephyrproject-rtos/zephyr/pull/23516>`_
393
394- `PR23517 fix for v2.3 (legacy driver)
395  <https://github.com/zephyrproject-rtos/zephyr/pull/23517>`_
396
397- `PR23091 fix for branch from v1.14.0
398  <https://github.com/zephyrproject-rtos/zephyr/pull/23091>`_
399
400- `PR23547 fix for branch from v2.2.0
401  <https://github.com/zephyrproject-rtos/zephyr/pull/23547>`_
402
403CVE-2020-10062
404--------------
405
406Packet length decoding error in MQTT
407
408CVE: An off-by-one error in the Zephyr project MQTT packet length
409decoder can result in memory corruption and possible remote code
410execution. NCC-ZEP-031
411
412The MQTT packet header length can be 1 to 4 bytes. An off-by-one error
413in the code can result in this being interpreted as 5 bytes, which can
414cause an integer overflow, resulting in memory corruption.
415
416This has been fixed in main for v2.3.
417
418- `CVE-2020-10062 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10062>`_
419
420- `Zephyr project bug tracker ZEPSEC-84
421  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-84>`_
422
423- `commit 11b7a37d for v2.3
424  <https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/11b7a37d9a0b438270421b224221d91929843de4>`_
425
426- `NCC-ZEP report`_ (NCC-ZEP-031)
427
428.. _NCC-ZEP report: https://research.nccgroup.com/2020/05/26/research-report-zephyr-and-mcuboot-security-assessment
429
430CVE-2020-10063
431--------------
432
433Remote Denial of Service in CoAP Option Parsing Due To Integer
434Overflow
435
436A remote adversary with the ability to send arbitrary CoAP packets to
437be parsed by Zephyr is able to cause a denial of service.
438
439This has been fixed in main for v2.3.
440
441- `CVE-2020-10063 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10063>`_
442
443- `Zephyr project bug tracker ZEPSEC-55
444  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-55>`_
445
446- `PR24435 fix in main for v2.3
447  <https://github.com/zephyrproject-rtos/zephyr/pull/24435>`_
448
449- `PR24531 fix for branch from v2.2
450  <https://github.com/zephyrproject-rtos/zephyr/pull/24531>`_
451
452- `PR24535 fix for branch from v2.1
453  <https://github.com/zephyrproject-rtos/zephyr/pull/24535>`_
454
455- `PR24530 fix for branch from v1.14
456  <https://github.com/zephyrproject-rtos/zephyr/pull/24530>`_
457
458- `NCC-ZEP report`_ (NCC-ZEP-032)
459
460CVE-2020-10064
461--------------
462
463Improper Input Frame Validation in ieee802154 Processing
464
465- `CVE-2020-10064 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10064>`_
466
467- `Zephyr project bug tracker ZEPSEC-65
468  <https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-65>`_
469
470- `PR24971 fix for v2.4
471  <https://github.com/zephyrproject-rtos/zephyr/pull/24971>`_
472
473- `PR33451 fix for v1.4
474  <https://github.com/zephyrproject-rtos/zephyr/pull/33451>`_
475
476CVE-2020-10065
477--------------
478
479OOB Write after not validating user-supplied length (<= 0xffff) and
480copying to fixed-size buffer (default: 77 bytes) for HCI_ACL packets in
481bluetooth HCI over SPI driver.
482
483- `CVE-2020-10065 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10065>`_
484
485- `Zephyr project bug tracker ZEPSEC-66
486  <https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-66>`_
487
488- This issue has not been fixed.
489
490CVE-2020-10066
491--------------
492
493Incorrect Error Handling in Bluetooth HCI core
494
495In hci_cmd_done, the buf argument being passed as null causes
496nullpointer dereference.
497
498- `CVE-2020-10066 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10066>`_
499
500- `Zephyr project bug tracker ZEPSEC-67
501  <https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-67>`_
502
503- `PR24902 fix for v2.4
504  <https://github.com/zephyrproject-rtos/zephyr/pull/24902>`_
505
506- `PR25089 fix for v1.4
507  <https://github.com/zephyrproject-rtos/zephyr/pull/25089>`_
508
509CVE-2020-10067
510--------------
511
512Integer Overflow In is_in_region Allows User Thread To Access Kernel Memory
513
514A malicious userspace application can cause a integer overflow and
515bypass security checks performed by system call handlers. The impact
516would depend on the underlying system call and can range from denial
517of service to information leak to memory corruption resulting in code
518execution within the kernel.
519
520See NCC-ZEP-005
521
522This has been fixed in releases v1.14.2, and v2.2.0.
523
524- `CVE-2020-10067 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10067>`_
525
526- `Zephyr project bug tracker ZEPSEC-27
527  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-27>`_
528
529- `PR23653 fix for v1.14.2
530  <https://github.com/zephyrproject-rtos/zephyr/pull/23653>`_
531
532- `PR23654 fix for the v2.1 branch
533  <https://github.com/zephyrproject-rtos/zephyr/pull/23654>`_
534
535- `PR23239 fix for v2.2.0
536  <https://github.com/zephyrproject-rtos/zephyr/pull/23239>`_
537
538CVE-2020-10068
539--------------
540
541Zephyr Bluetooth DLE duplicate requests vulnerability
542
543In the Zephyr project Bluetooth subsystem, certain duplicate and
544back-to-back packets can cause incorrect behavior, resulting in a
545denial of service.
546
547This has been fixed in branches for v1.14.0, v2.2.0, and will be
548included in v2.3.0.
549
550- `CVE-2020-10068 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10068>`_
551
552- `Zephyr project bug tracker ZEPSEC-78
553  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-78>`_
554
555- `PR23707 fix for v2.3 (split driver)
556  <https://github.com/zephyrproject-rtos/zephyr/pull/23707>`_
557
558- `PR23708 fix for v2.3 (legacy driver)
559  <https://github.com/zephyrproject-rtos/zephyr/pull/23708>`_
560
561- `PR23091 fix for branch from v1.14.0
562  <https://github.com/zephyrproject-rtos/zephyr/pull/23091>`_
563
564- `PR23964 fix for v2.2.0
565  <https://github.com/zephyrproject-rtos/zephyr/pull/23964>`_
566
567CVE-2020-10069
568--------------
569
570Zephyr Bluetooth unchecked packet data results in denial of service
571
572An unchecked parameter in bluetooth data can result in an assertion
573failure, or division by zero, resulting in a denial of service attack.
574
575This has been fixed in branches for v1.14.0, v2.2.0, and will be
576included in v2.3.0.
577
578- `CVE-2020-10069 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10069>`_
579
580- `Zephyr project bug tracker ZEPSEC-81
581  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-81>`_
582
583- `PR23705 fix for v2.3 (split driver)
584  <https://github.com/zephyrproject-rtos/zephyr/pull/23705>`_
585
586- `PR23706 fix for v2.3 (legacy driver)
587  <https://github.com/zephyrproject-rtos/zephyr/pull/23706>`_
588
589- `PR23091 fix for branch from v1.14.0
590  <https://github.com/zephyrproject-rtos/zephyr/pull/23091>`_
591
592- `PR23963 fix for branch from v2.2.0
593  <https://github.com/zephyrproject-rtos/zephyr/pull/23963>`_
594
595CVE-2020-10070
596--------------
597
598MQTT buffer overflow on receive buffer
599
600In the Zephyr Project MQTT code, improper bounds checking can result
601in memory corruption and possibly remote code execution.  NCC-ZEP-031
602
603When calculating the packet length, arithmetic overflow can result in
604accepting a receive buffer larger than the available buffer space,
605resulting in user data being written beyond this buffer.
606
607This has been fixed in main for v2.3.
608
609- `CVE-2020-10070 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10070>`_
610
611- `Zephyr project bug tracker ZEPSEC-85
612  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-85>`_
613
614- `commit 0b39cbf3 for v2.3
615  <https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/0b39cbf3c01d7feec9d0dd7cc7e0e374b6113542>`_
616
617- `NCC-ZEP report`_ (NCC-ZEP-031)
618
619CVE-2020-10071
620--------------
621
622Insufficient publish message length validation in MQTT
623
624The Zephyr MQTT parsing code performs insufficient checking of the
625length field on publish messages, allowing a buffer overflow and
626potentially remote code execution. NCC-ZEP-031
627
628This has been fixed in main for v2.3.
629
630- `CVE-2020-10071 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10071>`_
631
632- `Zephyr project bug tracker ZEPSEC-86
633  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-86>`_
634
635- `commit 989c4713 fix for v2.3
636  <https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/989c4713ba429aa5105fe476b4d629718f3e6082>`_
637
638- `NCC-ZEP report`_ (NCC-ZEP-031)
639
640CVE-2020-10072
641--------------
642
643All threads can access all socket file descriptors
644
645There is no management of permissions to network socket API file
646descriptors. Any thread running on the system may read/write a socket
647file descriptor knowing only the numerical value of the file
648descriptor.
649
650- `CVE-2020-10072 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10072>`_
651
652- `Zephyr project bug tracker ZEPSEC-87
653  <https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-87>`_
654
655- `PR25804 fix for v2.4
656  <https://github.com/zephyrproject-rtos/zephyr/pull/25804>`_
657
658- `PR27176 fix for v1.4
659  <https://github.com/zephyrproject-rtos/zephyr/pull/27176>`_
660
661CVE-2020-10136
662-------------------
663
664IP-in-IP protocol routes arbitrary traffic by default zephyrproject
665
666- `CVE-2020-10136 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10136>`_
667
668- `Zephyr project bug tracker ZEPSEC-64
669  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-64>`_
670
671CVE-2020-13598
672--------------
673
674FS: Buffer Overflow when enabling Long File Names in FAT_FS and calling fs_stat
675
676Performing fs_stat on a file with a filename longer than 12
677characters long will cause a buffer overflow.
678
679- `CVE-2020-13598 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13598>`_
680
681- `Zephyr project bug tracker ZEPSEC-88
682  <https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-88>`_
683
684- `PR25852 fix for v2.4
685  <https://github.com/zephyrproject-rtos/zephyr/pull/25852>`_
686
687- `PR28782 fix for v2.3
688  <https://github.com/zephyrproject-rtos/zephyr/pull/28782>`_
689
690- `PR33577 fix for v1.4
691  <https://github.com/zephyrproject-rtos/zephyr/pull/33577>`_
692
693CVE-2020-13599
694--------------
695
696Security problem with settings and littlefs
697
698When settings is used in combination with littlefs all security
699related information can be extracted from the device using MCUmgr and
700this could be used e.g in bt-mesh to get the device key, network key,
701app keys from the device.
702
703- `CVE-2020-13599 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13599>`_
704
705- `Zephyr project bug tracker ZEPSEC-57
706  <https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-57>`_
707
708- `PR26083 fix for v2.4
709  <https://github.com/zephyrproject-rtos/zephyr/pull/26083>`_
710
711CVE-2020-13600
712-------------------
713
714Malformed SPI in response for eswifi can corrupt kernel memory
715
716
717- `CVE-2020-13600 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13600>`_
718
719- `Zephyr project bug tracker ZEPSEC-91
720  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-91>`_
721
722- `PR26712 fix for v2.4
723  <https://github.com/zephyrproject-rtos/zephyr/pull/26712>`_
724
725CVE-2020-13601
726--------------
727
728Possible read out of bounds in dns read
729
730- `CVE-2020-13601 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13601>`_
731
732- `Zephyr project bug tracker ZEPSEC-92
733  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-92>`_
734
735- `PR27774 fix for v2.4
736  <https://github.com/zephyrproject-rtos/zephyr/pull/27774>`_
737
738- `PR30503 fix for v1.4
739  <https://github.com/zephyrproject-rtos/zephyr/pull/30503>`_
740
741CVE-2020-13602
742--------------
743
744Remote Denial of Service in LwM2M do_write_op_tlv
745
746In the Zephyr LwM2M implementation, malformed input can result in an
747infinite loop, resulting in a denial of service attack.
748
749- `CVE-2020-13602 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13602>`_
750
751- `Zephyr project bug tracker ZEPSEC-56
752  <https://zephyrprojectsec.atlasssian.net/browse/ZEPSEC-56>`_
753
754- `PR26571 fix for v2.4
755  <https://github.com/zephyrproject-rtos/zephyr/pull/26571>`_
756
757- `PR33578 fix for v1.4
758  <https://github.com/zephyrproject-rtos/zephyr/pull/33578>`_
759
760CVE-2020-13603
761--------------
762
763Possible overflow in mempool
764
765 * Zephyr offers pre-built 'malloc' wrapper function instead.
766 * The 'malloc' function is wrapper for the 'sys_mem_pool_alloc' function
767 * sys_mem_pool_alloc allocates 'size + WB_UP(sizeof(struct sys_mem_pool_block))' in an unsafe manner.
768 * Asking for very large size values leads to internal integer wrap-around.
769 * Integer wrap-around leads to successful allocation of very small memory.
770 * For example: calling malloc(0xffffffff) leads to successful allocation of 7 bytes.
771 * That leads to heap overflow.
772
773- `CVE-2020-13603 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13603>`_
774
775- `Zephyr project bug tracker ZEPSEC-111
776  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-111>`_
777
778- `PR31796 fix for v2.4
779  <https://github.com/zephyrproject-rtos/zephyr/pull/31796>`_
780
781- `PR32808 fix for v1.4
782  <https://github.com/zephyrproject-rtos/zephyr/pull/26571>`_
783
784CVE-2021
785========
786
787CVE-2021-3319
788-------------
789
790DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses
791
792Improper processing of omitted source and destination addresses in
793ieee802154 frame validation (ieee802154_validate_frame)
794
795This has been fixed in main for v2.5.0
796
797- `CVE-2020-3319 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3319>`_
798
799- `Zephyr project bug tracker GHSA-94jg-2p6q-5364
800  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364>`_
801
802- `PR31908 fix for main
803  <https://github.com/zephyrproject-rtos/zephyr/pull/31908>`_
804
805CVE-2021-3320
806-------------------
807Mismatch between validation and handling of 802154 ACK frames, where
808ACK frames are considered during validation, but not during actual
809processing, leading to a type confusion.
810
811- `CVE-2020-3320 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3320>`_
812
813- `PR31908 fix for main
814  <https://github.com/zephyrproject-rtos/zephyr/pull/31908>`_
815
816CVE-2021-3321
817-------------
818
819Incomplete check of minimum IEEE 802154 fragment size leading to an
820integer underflow.
821
822- `CVE-2020-3321 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3321>`_
823
824- `Zephyr project bug tracker ZEPSEC-114
825  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-114>`_
826
827- `PR33453 fix for v2.4
828  <https://github.com/zephyrproject-rtos/zephyr/pull/33453>`_
829
830CVE-2021-3323
831-------------
832
833Integer Underflow in 6LoWPAN IPHC Header Uncompression
834
835- `CVE-2020-3323 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3323>`_
836
837- `Zephyr project bug tracker ZEPSEC-116
838  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-116>`_
839
840- This issue has not been fixed.
841
842CVE-2021-3430
843-------------
844
845Assertion reachable with repeated LL_CONNECTION_PARAM_REQ.
846
847This has been fixed in main for v2.6.0
848
849- `CVE-2021-3430 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3430>`_
850
851- `Zephyr project bug tracker GHSA-46h3-hjcq-2jjr
852  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-46h3-hjcq-2jjr>`_
853
854- `PR 33272 fix for main
855  <https://github.com/zephyrproject-rtos/zephyr/pull/33272>`_
856
857- `PR 33369 fix for 2.5
858  <https://github.com/zephyrproject-rtos/zephyr/pull/33369>`_
859
860- `PR 33759 fix for 1.14.2
861  <https://github.com/zephyrproject-rtos/zephyr/pull/33759>`_
862
863CVE-2021-3431
864-------------
865
866BT: Assertion failure on repeated LL_FEATURE_REQ
867
868This has been fixed in main for v2.6.0
869
870- `CVE-2021-3431 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3431>`_
871
872- `Zephyr project bug tracker GHSA-7548-5m6f-mqv9
873  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7548-5m6f-mqv9>`_
874
875- `PR 33340 fix for main
876  <https://github.com/zephyrproject-rtos/zephyr/pull/33340>`_
877
878- `PR 33369 fix for 2.5
879  <https://github.com/zephyrproject-rtos/zephyr/pull/33369>`_
880
881CVE-2021-3432
882-------------
883
884Invalid interval in CONNECT_IND leads to Division by Zero
885
886This has been fixed in main for v2.6.0
887
888- `CVE-2021-3432 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3432>`_
889
890- `Zephyr project bug tracker GHSA-7364-p4wc-8mj4
891  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7364-p4wc-8mj4>`_
892
893- `PR 33278 fix for main
894  <https://github.com/zephyrproject-rtos/zephyr/pull/33278>`_
895
896- `PR 33369 fix for 2.5
897  <https://github.com/zephyrproject-rtos/zephyr/pull/33369>`_
898
899CVE-2021-3433
900-------------
901
902BT: Invalid channel map in CONNECT_IND results to Deadlock
903
904This has been fixed in main for v2.6.0
905
906- `CVE-2021-3433 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3433>`_
907
908- `Zephyr project bug tracker GHSA-3c2f-w4v6-qxrp
909  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3c2f-w4v6-qxrp>`_
910
911- `PR 33278 fix for main
912  <https://github.com/zephyrproject-rtos/zephyr/pull/33278>`_
913
914- `PR 33369 fix for 2.5
915  <https://github.com/zephyrproject-rtos/zephyr/pull/33369>`_
916
917CVE-2021-3434
918-------------
919
920L2CAP: Stack based buffer overflow in le_ecred_conn_req()
921
922This has been fixed in main for v2.6.0
923
924- `CVE-2021-3434 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3434>`_
925
926- `Zephyr project bug tracker GHSA-8w87-6rfp-cfrm
927  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8w87-6rfp-cfrm>`_
928
929- `PR 33305 fix for main
930  <https://github.com/zephyrproject-rtos/zephyr/pull/33305>`_
931
932- `PR 33419 fix for 2.5
933  <https://github.com/zephyrproject-rtos/zephyr/pull/33419>`_
934
935- `PR 33418 fix for 1.14.2
936  <https://github.com/zephyrproject-rtos/zephyr/pull/33418>`_
937
938CVE-2021-3435
939-------------
940
941L2CAP: Information leakage in le_ecred_conn_req()
942
943This has been fixed in main for v2.6.0
944
945- `CVE-2021-3435 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3435>`_
946
947- `Zephyr project bug tracker GHSA-xhg3-gvj6-4rqh
948  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xhg3-gvj6-4rqh>`_
949
950- `PR 33305 fix for main
951  <https://github.com/zephyrproject-rtos/zephyr/pull/33305>`_
952
953- `PR 33419 fix for 2.5
954  <https://github.com/zephyrproject-rtos/zephyr/pull/33419>`_
955
956- `PR 33418 fix for 1.14.2
957  <https://github.com/zephyrproject-rtos/zephyr/pull/33418>`_
958
959CVE-2021-3436
960-------------
961
962Bluetooth: Possible to overwrite an existing bond during keys
963distribution phase when the identity address of the bond is known
964
965During the distribution of the identity address information we don’t
966check for an existing bond with the same identity address.This means
967that a duplicate entry will be created in RAM while the newest entry
968will overwrite the existing one in persistent storage.
969
970This has been fixed in main for v2.6.0
971
972- `CVE-2021-3436 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3436>`_
973
974- `Zephyr project bug tracker GHSA-j76f-35mc-4h63
975  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63>`_
976
977- `PR 33266 fix for main
978  <https://github.com/zephyrproject-rtos/zephyr/pull/33266>`_
979
980- `PR 33432 fix for 2.5
981  <https://github.com/zephyrproject-rtos/zephyr/pull/33432>`_
982
983- `PR 33433 fix for 2.4
984  <https://github.com/zephyrproject-rtos/zephyr/pull/33433>`_
985
986- `PR 33718 fix for 1.14.2
987  <https://github.com/zephyrproject-rtos/zephyr/pull/33718>`_
988
989CVE-2021-3454
990-------------
991
992Truncated L2CAP K-frame causes assertion failure
993
994For example, sending L2CAP K-frame where SDU length field is truncated
995to only one byte, causes assertion failure in previous releases of
996Zephyr. This has been fixed in master by commit 0ba9437 but has not
997yet been backported to older release branches.
998
999This has been fixed in main for v2.6.0
1000
1001- `CVE-2021-3454 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3454>`_
1002
1003- `Zephyr project bug tracker GHSA-fx88-6c29-vrp3
1004  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-vrp3>`_
1005
1006- `PR 32588 fix for main
1007  <https://github.com/zephyrproject-rtos/zephyr/pull/32588>`_
1008
1009- `PR 33513 fix for 2.5
1010  <https://github.com/zephyrproject-rtos/zephyr/pull/33513>`_
1011
1012- `PR 33514 fix for 2.4
1013  <https://github.com/zephyrproject-rtos/zephyr/pull/33514>`_
1014
1015CVE-2021-3455
1016-------------
1017
1018Disconnecting L2CAP channel right after invalid ATT request leads freeze
1019
1020When Central device connects to peripheral and creates L2CAP
1021connection for Enhanced ATT, sending some invalid ATT request and
1022disconnecting immediately causes freeze.
1023
1024This has been fixed in main for v2.6.0
1025
1026- `CVE-2021-3455 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3455>`_
1027
1028- `Zephyr project bug tracker GHSA-7g38-3x9v-v7vp
1029  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp>`_
1030
1031- `PR 35597 fix for main
1032  <https://github.com/zephyrproject-rtos/zephyr/pull/35597>`_
1033
1034- `PR 36104 fix for 2.5
1035  <https://github.com/zephyrproject-rtos/zephyr/pull/36104>`_
1036
1037- `PR 36105 fix for 2.4
1038  <https://github.com/zephyrproject-rtos/zephyr/pull/36105>`_
1039
1040CVE-2021-3510
1041-------------
1042
1043Zephyr JSON decoder incorrectly decodes array of array
1044
1045When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token
1046type JSON_TOK_LIST_START, but then assigns to the object part of the
1047union. arr_parse then takes the offset of the array-object (which has
1048nothing todo with the list) treats it as relative to the parent
1049object, and stores the length of the subarray in there.
1050
1051This has been fixed in main for v2.7.0
1052
1053- `CVE-2021-3510 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3510>`_
1054
1055- `Zephyr project bug tracker GHSA-289f-7mw3-2qf4
1056  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4>`_
1057
1058- `PR 36340 fix for main
1059  <https://github.com/zephyrproject-rtos/zephyr/pull/36340>`_
1060
1061- `PR 37816 fix for 2.6
1062  <https://github.com/zephyrproject-rtos/zephyr/pull/37816>`_
1063
1064CVE-2021-3581
1065-------------
1066
1067HCI data not properly checked leads to memory overflow in the Bluetooth stack
1068
1069In the process of setting SCAN_RSP through the HCI command, the Zephyr
1070Bluetooth protocol stack did not effectively check the length of the
1071incoming HCI data. Causes memory overflow, and then the data in the
1072memory is overwritten, and may even cause arbitrary code execution.
1073
1074This has been fixed in main for v2.6.0
1075
1076- `CVE-2021-3581 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3581>`_
1077
1078- `Zephyr project bug tracker GHSA-8q65-5gqf-fmw5
1079  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8q65-5gqf-fmw5>`_
1080
1081- `PR 35935 fix for main
1082  <https://github.com/zephyrproject-rtos/zephyr/pull/35935>`_
1083
1084- `PR 35984 fix for 2.5
1085  <https://github.com/zephyrproject-rtos/zephyr/pull/35984>`_
1086
1087- `PR 35985 fix for 2.4
1088  <https://github.com/zephyrproject-rtos/zephyr/pull/35985>`_
1089
1090- `PR 35985 fix for 1.14
1091  <https://github.com/zephyrproject-rtos/zephyr/pull/35985>`_
1092
1093CVE-2021-3625
1094-------------
1095
1096Buffer overflow in Zephyr USB DFU DNLOAD
1097
1098This has been fixed in main for v2.6.0
1099
1100- `CVE-2021-3625 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3625>`_
1101
1102- `Zephyr project bug tracker GHSA-c3gr-hgvr-f363
1103  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c3gr-hgvr-f363>`_
1104
1105- `PR 36694 fix for main
1106  <https://github.com/zephyrproject-rtos/zephyr/pull/36694>`_
1107