CVE-2022-36063

USBX Host CDC ECM integer underflow with buffer overflow

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Azure RTOS USBx is a USB host, device, and on-the-go (OTG) embedded stack, fully integrated with Azure RTOS ThreadX and available for all Azure RTOS ThreadX–supported processors. Azure RTOS USBX implementation of host support for USB CDC ECM includes an integer underflow and a buffer overflow in the `_ux_host_class_cdc_ecm_mac_address_get` function which may be potentially exploited to achieve remote code execution or denial of service. Setting mac address string descriptor length to a `0` or `1` allows an attacker to introduce an integer underflow followed (string_length) by a buffer overflow of the `cdc_ecm -> ux_host_class_cdc_ecm_node_id` array. This may allow one to redirect the code execution flow or introduce a denial of service. The fix has been included in USBX release [6.1.12](https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel). Improved mac address string descriptor length validation to check for unexpectedly small values may be used as a workaround.

Azure RTOS USBx es una pila embebida de host, dispositivo y on-the-go (OTG) USB, totalmente integrada con Azure RTOS ThreadX y disponible para todos los procesadores compatibles con Azure RTOS ThreadX. La implementación de Azure RTOS USBX del soporte de host para USB CDC ECM incluye un desbordamiento de entero y un desbordamiento de búfer en la función "_ux_host_class_cdc_ecm_mac_address_get" que puede ser potencialmente explotada para lograr la ejecución remota de código o la denegación de servicio. Establecer la longitud del descriptor de la cadena de direcciones mac a un "0" o "1" permite a un atacante introducir un desbordamiento de enteros seguido (string_length) por un desbordamiento del buffer del array "cdc_ecm -) ux_host_class_cdc_ecm_node_id". Esto puede permitir redirigir el flujo de ejecución del código o introducir una denegación de servicio. La corrección ha sido incluida en USBX versión [6.1.12](https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel). Ha sido mejorada la comprobación de la longitud del descriptor de la cadena de direcciones mac para comprobar los valores inesperadamente pequeños, lo que puede usarse como mitigación

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-10-10 CVE Published
2024-07-29 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-121: Stack-based Buffer Overflow
CWE-191: Integer Underflow (Wrap or Wraparound)
CWE-1284: Improper Validation of Specified Quantity in Input

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://github.com/azure-rtos/usbx/blob/master/common/usbx_host_classes/src/ux_host_class_cdc_ecm_mac_address_get.c#L264	2024-08-03
https://github.com/azure-rtos/usbx/security/advisories/GHSA-chpp-5fv9-6368	2024-08-03

URL	Date	SRC
https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel	2023-06-29

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		Azure Rtos Usbx Search vendor "Microsoft" for product "Azure Rtos Usbx"				< 6.1.11 Search vendor "Microsoft" for product "Azure Rtos Usbx" and version " < 6.1.11"		-		Affected