Buffer overflow on HUB descriptor in Azure RTOS USBX
CVE-2022-29223

7.5HIGH

Key Information:

Vendor: Azure-rtos
Status: Usbx
Vendor: CVE Published:; 24 May 2022

What is CVE-2022-29223?

Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with bNbPorts set to a value greater than UX_MAX_TT which defaults to 8. For a bNbPorts value of 255, the implementation of ux_host_class_hub_descriptor_get function will modify the contents of hub -> ux_host_class_hub_device -> ux_device_hub_tt array violating the end boundary by 255 - UX_MAX_TT items. The USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10.

Affected Version(s)

usbx < 6.1.10

References

https://github.com/azure-rtos/usbx/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/azure-rtos/usbx/releases/tag/v6.1.10_rel

x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 24, 2022
Vulnerability Reserved
Apr 13, 2022

Azure-rtos

What is CVE-2022-29223?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline