CVE-2024-6563 (GCVE-0-2024-6563)
Vulnerability from cvelistv5 – Published: 2024-07-08 15:09 – Updated: 2024-08-01 21:41
VLAI?
Title
Buffer Overflow Arbitrary Write
Summary
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .
In line 313 "addr_loaded_cnt" is checked not to be "CHECK_IMAGE_AREA_CNT" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of "dst" will be written to the area immediately after the buffer, which is "addr_loaded_cnt". This will allow an attacker to freely control the value of "addr_loaded_cnt" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value ("len") they desire.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Renesas | rcar_gen3_v2.5 |
Affected:
c2f286820471ed276c57e603762bd831873e5a17 , ≤ c9fb3558410032d2660c7f3b7d4b87dec09fe2f2
(git)
|
Credits
Ilay levi
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:renesas:rcar_gen3_firmware:v2.5:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "rcar_gen3_firmware",
"vendor": "renesas",
"versions": [
{
"status": "affected",
"version": "v2.5"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T15:29:36.318090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T16:32:55.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:41:03.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://asrg.io/security-advisories/cve-2024-6563/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "arm-trusted-firmware",
"product": "rcar_gen3_v2.5",
"programFiles": [
"https://github.com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.c"
],
"repo": "https://github.com/renesas-rcar/arm-trusted-firmware/",
"vendor": "Renesas",
"versions": [
{
"lessThanOrEqual": "c9fb3558410032d2660c7f3b7d4b87dec09fe2f2",
"status": "affected",
"version": "c2f286820471ed276c57e603762bd831873e5a17",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ilay levi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027) vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C\"\u003ehttps://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i...\u003c/a\u003e\u003c/tt\u003e.\u003cbr\u003e\n\n\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027) vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\n\n\n\n\nIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire."
}
],
"impacts": [
{
"capecId": "CAPEC-549",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-549 Local Execution of Code"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "CWE-123: Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T15:13:27.519Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"url": "https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://asrg.io/security-advisories/cve-2024-6563/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Buffer Overflow Arbitrary Write",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2024-6563",
"datePublished": "2024-07-08T15:09:51.326Z",
"dateReserved": "2024-07-08T15:06:43.647Z",
"dateUpdated": "2024-08-01T21:41:03.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-6563\",\"sourceIdentifier\":\"cve@asrg.io\",\"published\":\"2024-07-08T16:15:09.210\",\"lastModified\":\"2024-11-21T09:49:53.527\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027) vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\\n\\n\\n\\n\\nIn line 313 \\\"addr_loaded_cnt\\\" is checked not to be \\\"CHECK_IMAGE_AREA_CNT\\\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \\\"dst\\\" will be written to the area immediately after the buffer, which is \\\"addr_loaded_cnt\\\". This will allow an attacker to freely control the value of \\\"addr_loaded_cnt\\\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\\\"len\\\") they desire.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de copia de b\u00fafer sin verificar el tama\u00f1o de la entrada (\u0027desbordamiento de b\u00fafer cl\u00e1sico\u0027) en el firmware arm-trusted-de Renesas permite la ejecuci\u00f3n local de c\u00f3digo. Esta vulnerabilidad est\u00e1 asociada a archivos de programa https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com /renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C. En la l\u00ednea 313 se verifica que \\\"addr_loaded_cnt\\\" no sea \\\"CHECK_IMAGE_AREA_CNT\\\" (5) o mayor; esta verificaci\u00f3n no detiene la funci\u00f3n. Inmediatamente despu\u00e9s (l\u00ednea 317) habr\u00e1 un desbordamiento en el b\u00fafer y el valor de \\\"dst\\\" se escribir\u00e1 en el \u00e1rea inmediatamente despu\u00e9s del b\u00fafer, que es \\\"addr_loaded_cnt\\\". Esto permitir\u00e1 a un atacante controlar libremente el valor de \\\"addr_loaded_cnt\\\" y as\u00ed controlar el destino de la escritura inmediatamente despu\u00e9s (l\u00ednea 318). La escritura en la l\u00ednea 318 ser\u00e1 entonces totalmente controlada por dicho atacante, con cualquier direcci\u00f3n y cualquier valor (\\\"len\\\") que desee.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@asrg.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cve@asrg.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-120\"},{\"lang\":\"en\",\"value\":\"CWE-123\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-120\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:renesas:arm-trusted-firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"16A2BDC3-F664-4132-8148-9DB849240F8B\"}]}]}],\"references\":[{\"url\":\"https://asrg.io/security-advisories/cve-2024-6563/\",\"source\":\"cve@asrg.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164\",\"source\":\"cve@asrg.io\",\"tags\":[\"Patch\"]},{\"url\":\"https://asrg.io/security-advisories/cve-2024-6563/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://asrg.io/security-advisories/cve-2024-6563/\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:41:03.975Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-6563\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-08T15:29:36.318090Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:renesas:rcar_gen3_firmware:v2.5:*:*:*:*:*:*:*\"], \"vendor\": \"renesas\", \"product\": \"rcar_gen3_firmware\", \"versions\": [{\"status\": \"affected\", \"version\": \"v2.5\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-08T16:02:06.939Z\"}}], \"cna\": {\"title\": \"Buffer Overflow Arbitrary Write\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Ilay levi\"}], \"impacts\": [{\"capecId\": \"CAPEC-549\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-549 Local Execution of Code\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/renesas-rcar/arm-trusted-firmware/\", \"vendor\": \"Renesas\", \"product\": \"rcar_gen3_v2.5\", \"versions\": [{\"status\": \"affected\", \"version\": \"c2f286820471ed276c57e603762bd831873e5a17\", \"versionType\": \"git\", \"lessThanOrEqual\": \"c9fb3558410032d2660c7f3b7d4b87dec09fe2f2\"}], \"packageName\": \"arm-trusted-firmware\", \"programFiles\": [\"https://github.com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.c\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164\"}, {\"url\": \"https://asrg.io/security-advisories/cve-2024-6563/\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027) vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\\n\\n\\n\\n\\nIn line 313 \\\"addr_loaded_cnt\\\" is checked not to be \\\"CHECK_IMAGE_AREA_CNT\\\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \\\"dst\\\" will be written to the area immediately after the buffer, which is \\\"addr_loaded_cnt\\\". This will allow an attacker to freely control the value of \\\"addr_loaded_cnt\\\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\\\"len\\\") they desire.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027) vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C\\\"\u003ehttps://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i...\u003c/a\u003e\u003c/tt\u003e.\u003cbr\u003e\\n\\n\u003c/p\u003e\u003cp\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003eIn line 313 \\\"addr_loaded_cnt\\\" is checked not to be \\\"CHECK_IMAGE_AREA_CNT\\\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \\\"dst\\\" will be written to the area immediately after the buffer, which is \\\"addr_loaded_cnt\\\". This will allow an attacker to freely control the value of \\\"addr_loaded_cnt\\\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\\\"len\\\") they desire.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\\n\\n\u003cbr\u003e\u003cp\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-123\", \"description\": \"CWE-123: Write-what-where Condition\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-120\", \"description\": \"CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"c15abc07-96a9-4d11-a503-5d621bfe42ba\", \"shortName\": \"ASRG\", \"dateUpdated\": \"2024-07-08T15:13:27.519Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-6563\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T21:41:03.975Z\", \"dateReserved\": \"2024-07-08T15:06:43.647Z\", \"assignerOrgId\": \"c15abc07-96a9-4d11-a503-5d621bfe42ba\", \"datePublished\": \"2024-07-08T15:09:51.326Z\", \"assignerShortName\": \"ASRG\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…