Vulnerability-Lookup

GHSA-F366-4RVV-95X2

Vulnerability from github – Published: 2020-10-02 16:33 – Updated: 2021-10-04 21:23

Summary

Buffer overflow in deprecated USB HALs and stack overflow in USB enumeration

Details

Impact

1) If an application is making use of the deprecated kit protocol HALs as the communication channel to the target device an attacker can masquerade as a device and return malformed packets of arbitrary length which the protocol stack will write to the stack. HALs intended for production use are unaffected (I2C, SWI, & SPI) as well as the hidapi HAL (hal_all_platforms_kit_hidapi.c).

2) The hidapi HAL can be made to overrun the application stack by attaching more than 10 (real or virtual) devices likely resulting in an application crash as this does not allow arbitrary data to be written to the stack.

Patches

USB kit enumeration has been patched in v3.2.3 for the hidapi HAL (hal_all_platforms_kit_hidapi.c).

Removal of deprecated HALs

Deprecated usb kit HALs have been removed in v3.2.3.

Workarounds

This vulnerability is limited to users of the kit protocol which is used with Microchip kits and kit firmware to bridge communication from USB-HID to I2C or SWI. It is not expected that kits would be used in an production environment. This is an optional component for users as well so they can always compile the library without the usb support option.

Special python packaging notes

The python package for cryptoauthlib uses date codes for identifying versions. The patched version for python packages is 20200912

References

Please see Microchip PSIRT for Microchip's security policy and reporting procedures

Credits

Special thanks to Ruben Santamarta of IOActive for reporting

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cryptoauthlib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20200912"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-120"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-10-02T16:27:28Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\n1) If an application is making use of the deprecated kit protocol HALs as the communication channel to the target device an attacker can masquerade as a device and return malformed packets of arbitrary length which the protocol stack will write to the stack. HALs intended for production use are unaffected (I2C, SWI, \u0026 SPI) as well as the hidapi HAL (hal_all_platforms_kit_hidapi.c).\n\n2) The hidapi HAL can be made to overrun the application stack by attaching more than 10 (real or virtual) devices likely resulting in an application crash as this does not allow arbitrary data to be written to the stack.\n\n### Patches\nUSB kit enumeration has been patched in v3.2.3 for the hidapi HAL (hal_all_platforms_kit_hidapi.c).\n\n### Removal of deprecated HALs\nDeprecated usb kit HALs have been removed in v3.2.3.\n\n### Workarounds\nThis vulnerability is limited to users of the kit protocol which is used with Microchip kits and kit firmware to bridge communication from USB-HID to I2C or SWI. It is not expected that kits would be used in an production environment. This is an optional component for users as well so they can always compile the library without the usb support option.\n\n### Special python packaging notes\nThe python package for cryptoauthlib uses date codes for identifying versions. The patched version for python packages is 20200912\n\n### References\nPlease see [Microchip PSIRT](https://www.microchip.com/design-centers/embedded-security/how-to-report-potential-product-security-vulnerabilities) for Microchip\u0027s security policy and reporting procedures\n\n### Credits\nSpecial thanks to Ruben Santamarta of [IOActive](https://blogs.ioactive.com/) for reporting",
  "id": "GHSA-f366-4rvv-95x2",
  "modified": "2021-10-04T21:23:53Z",
  "published": "2020-10-02T16:33:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MicrochipTech/cryptoauthlib/security/advisories/GHSA-f366-4rvv-95x2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MicrochipTech/cryptoauthlib"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Buffer overflow in deprecated USB HALs and stack overflow in USB enumeration"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted