CVE-2021-35522 in Morpho Wave Compact MDinfo

Summary

by MITRE • 07/22/2021

A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2, Sigma devices before 4.9.4, and MA VP MD devices before 4.9.7 allows remote attackers to achieve code execution, denial of services, and information disclosure via TCP/IP packets.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/27/2021

The vulnerability identified as CVE-2021-35522 represents a critical buffer overflow flaw affecting multiple hardware security modules manufactured by IDEMIA, specifically targeting their Morpho Wave Compact and VisionPass devices, Sigma devices, and MA VP MD devices. This vulnerability exists within the thrift command handlers of these embedded systems, creating a significant attack surface that can be exploited remotely over TCP/IP networks. The affected versions include all releases prior to 2.6.2 for the Wave Compact and VisionPass devices, 4.9.4 for Sigma devices, and 4.9.7 for MA VP MD devices, indicating a widespread issue across multiple product lines that share similar underlying software architectures.

The technical nature of this vulnerability stems from improper input validation within the thrift protocol implementation used by these security devices. When processing incoming TCP/IP packets, the command handlers fail to properly bounds-check data received from network connections, allowing attackers to craft malicious payloads that exceed the allocated buffer space. This buffer overflow condition creates opportunities for arbitrary code execution, as the overflow can overwrite critical memory locations including return addresses, function pointers, or other control data structures. The flaw operates at the application layer of the network stack, making it particularly dangerous as it can be exploited without requiring physical access to the devices or sophisticated local privileges.

The operational impact of this vulnerability extends beyond simple remote code execution to encompass denial of service conditions and information disclosure capabilities. Attackers can leverage the buffer overflow to crash the affected devices, rendering them unavailable for their intended security functions and potentially creating service disruption in critical infrastructure environments. Additionally, the vulnerability enables information disclosure, where attackers might extract sensitive data from memory locations that become accessible through the overflow conditions. The remote exploitability of this vulnerability means that adversaries can target these devices from anywhere on the network, making it particularly concerning for organizations that deploy these security modules in networked environments where they might be exposed to untrusted network traffic.

From a cybersecurity framework perspective, this vulnerability maps directly to CWE-121, which describes heap-based buffer overflow conditions, and CWE-787, which covers out-of-bounds writes in heap-based buffers. The attack patterns associated with this vulnerability align with ATT&CK techniques such as T1203, which involves exploitation of remote services, and T1059, covering command and scripting interpreters. The vulnerability's classification as a remote code execution flaw places it within the high-risk category of cybersecurity threats, as it provides attackers with persistent access to security-critical hardware that may be responsible for authentication, access control, or cryptographic operations. Organizations deploying these devices should consider implementing network segmentation, firewall rules to restrict access to these services, and immediate firmware upgrades to mitigate the risk. The vulnerability demonstrates the critical importance of secure coding practices in embedded systems and the potential consequences when input validation mechanisms fail in security-sensitive hardware platforms.

Reservation

06/28/2021

Disclosure

07/22/2021

Moderation

accepted

CPE

ready

EPSS

0.03657

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!