Azure RTOS USBX vulnerable to buffer overflow
CVE-2022-39344

9.8CRITICAL

Key Information:

Vendor: Azure-rtos
Status: Usbx
Vendor: CVE Published:; 4 November 2022

What is CVE-2022-39344?

Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. Prior to version 6.1.12, the USB DFU UPLOAD functionality may be utilized to introduce a buffer overflow resulting in overwrite of memory contents. In particular cases this may allow an attacker to bypass security features or execute arbitrary code. The implementation of ux_device_class_dfu_control_request function prevents buffer overflow during handling of DFU UPLOAD command when current state is UX_SYSTEM_DFU_STATE_DFU_IDLE. This issue has been patched, please upgrade to version 6.1.12. As a workaround, add the UPLOAD_LENGTH check in all possible states.

Affected Version(s)

usbx < 6.1.12

References

https://github.com/azure-rtos/usbx/security/advisories/GH...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 4, 2022
Vulnerability Reserved
Sep 2, 2022

Azure-rtos

What is CVE-2022-39344?

Affected Version(s)

References

CVSS V3.1

Timeline