zephyrproject-rtos zephyr 1.14.x Shell Subsystem buffer overflow
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.0 | $0-$5k | 0.00 |
Summary
A vulnerability classified as critical has been found in zephyrproject-rtos zephyr 1.14.x. Affected by this vulnerability is an unknown functionality of the component Shell Subsystem. The manipulation leads to buffer overflow. This vulnerability is traded as CVE-2020-10023. An attack has to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.
Details
A vulnerability was found in zephyrproject-rtos zephyr 1.14.x (Project Management Software). It has been rated as critical. This issue affects some unknown processing of the component Shell Subsystem. The manipulation with an unknown input leads to a buffer overflow vulnerability. Using CWE to declare the problem leads to CWE-120. The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
The shell subsystem contains a buffer overflow, whereby an adversary with physical access to the device is able to cause a memory corruption, resulting in denial of service or possibly code execution within the Zephyr kernel. See NCC-NCC-019 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.
The weakness was shared 05/11/2020. The identification of this vulnerability is CVE-2020-10023 since 03/03/2020. Attacking locally is a requirement. Required for exploitation is a simple authentication. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available.
Upgrading to version 2.1.0 eliminates this vulnerability.
The entries VDB-154983, VDB-154982, VDB-154981 and VDB-154980 are related to this item. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.3VulDB Meta Temp Score: 6.2
VulDB Base Score: 5.7
VulDB Temp Score: 5.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 6.9
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Buffer overflowCWE: CWE-120 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: Yes
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: zephyr 2.1.0
Timeline
03/03/2020 🔍05/11/2020 🔍
05/12/2020 🔍
10/16/2020 🔍
Sources
Status: Not definedCVE: CVE-2020-10023 (🔍)
GCVE (CVE): GCVE-0-2020-10023
GCVE (VulDB): GCVE-100-154979
See also: 🔍
Entry
Created: 05/12/2020 07:22Updated: 10/16/2020 13:13
Changes: 05/12/2020 07:22 (38), 05/12/2020 07:27 (12), 10/16/2020 13:13 (1)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.