CVE Vulnerability

CVE-2022-36063

Azure RTOS USBx is a USB host, device, and on-the-go (OTG) embedded stack, fully integrated with Azure RTOS ThreadX and available for all Azure RTOS ThreadX–supported processors. Azure RTOS USBX implementation of host support for USB CDC ECM includes an integer underflow and a buffer overflow in the `_ux_host_class_cdc_ecm_mac_address_get` function which may be potentially exploited to achieve remote code execution or denial of service. Setting mac address string descriptor length to a `0` or `1` allows an attacker to introduce an integer underflow followed (string_length) by a buffer overflow of the `cdc_ecm -> ux_host_class_cdc_ecm_node_id` array. This may allow one to redirect the code execution flow or introduce a denial of service. The fix has been included in USBX release [6.1.12](https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel). Improved mac address string descriptor length validation to check for unexpectedly small values may be used as a workaround.

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/azure-rtos/usbx/security/advisories/GHSA-chpp-5fv9-6368 Exploit Patch
https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel Patch Release Notes
https://github.com/azure-rtos/usbx/blob/master/common/usbx_host_classes/src/ux_host_class_cdc_ecm_mac_address_get.c#L264 Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:o:microsoft:azure_rtos_usbx:*:*:*:*:*:*:*:*
Information

Published : 2022-10-10 09:15

Updated : 2022-10-12 06:17

NVD link : CVE-2022-36063

Mitre link : CVE-2022-36063

Products Affected
No products.
CWE
CWE-121

CWE-191

Integer Underflow (Wrap or Wraparound)