cvelistv5 - cve-2024-32883

cve-2024-32883

Vulnerability from cvelistv5

Published

2024-04-26 21:03

Modified

2024-08-02 02:20

Severity ?

7.7 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H

Summary

MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image. The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have. As a workaround, disable the boot record functionality.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j

Impacted products

	Vendor	Product	Version
	mcu-tools	mcuboot	Version: <= 1.11.0

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-32883",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-05-30T15:26:00.714731Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-06-04T17:51:00.445Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T02:20:35.680Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "mcuboot",
               vendor: "mcu-tools",
               versions: [
                  {
                     status: "affected",
                     version: "<= 1.11.0",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image.  The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have. As a workaround, disable the boot record functionality. ",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 7.7,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "LOW",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-354",
                     description: "CWE-354: Improper Validation of Integrity Check Value",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-04-26T21:03:24.534Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j",
            },
         ],
         source: {
            advisory: "GHSA-m59c-q9gq-rh2j",
            discovery: "UNKNOWN",
         },
         title: "MCUboot Injection attack of unprotected TLV values",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2024-32883",
      datePublished: "2024-04-26T21:03:24.534Z",
      dateReserved: "2024-04-19T14:07:11.230Z",
      dateUpdated: "2024-08-02T02:20:35.680Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2024-32883\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-04-26T21:15:49.630\",\"lastModified\":\"2024-11-21T09:15:56.057\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image.  The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have. As a workaround, disable the boot record functionality. \"},{\"lang\":\"es\",\"value\":\"MCUboot es un gestor de arranque seguro para microcontroladores de 32 bits. MCUboot utiliza una estructura TLV (etiqueta-longitud-valor) para representar los metadatos asociados con una imagen. Los propios TLV se dividen en dos secciones, una sección protegida y otra desprotegida. Las entradas TLV protegidas se incluyen como parte de la firma de la imagen para evitar manipulaciones. Sin embargo, el código no distingue qué entradas TLV deben protegerse o no, por lo que es posible que un atacante agregue entradas TLV desprotegidas que deberían protegerse. Actualmente, las entradas TLV protegidas principales deben ser la indicación de dependencia y el registro de inicio. Un valor de dependencia inyectado daría como resultado principalmente el rechazo de una imagen que de otro modo sería aceptable. Una inyección de registro de inicio podría permitir que los campos de un registro de atestación posterior incluyan datos no deseados, lo que podría hacer que una imagen parezca tener propiedades que no debería tener. Como workaround, desactive la función de registro de inicio.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-354\"}]}],\"references\":[{\"url\":\"https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
      vulnrichment: {
         containers: "{\"cna\": {\"title\": \"MCUboot Injection attack of unprotected TLV values\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-354\", \"lang\": \"en\", \"description\": \"CWE-354: Improper Validation of Integrity Check Value\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 7.7, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"scope\": \"CHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j\"}], \"affected\": [{\"vendor\": \"mcu-tools\", \"product\": \"mcuboot\", \"versions\": [{\"version\": \"<= 1.11.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-04-26T21:03:24.534Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image.  The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have. As a workaround, disable the boot record functionality. \"}], \"source\": {\"advisory\": \"GHSA-m59c-q9gq-rh2j\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-32883\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-30T15:26:00.714731Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-30T15:26:46.250Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
         cveMetadata: "{\"cveId\": \"CVE-2024-32883\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-04-19T14:07:11.230Z\", \"datePublished\": \"2024-04-26T21:03:24.534Z\", \"dateUpdated\": \"2024-06-04T17:51:00.445Z\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}

gsd-2024-32883

Vulnerability from gsd

Modified

2024-04-20 05:02

Details

Aliases

CVE-2024-32883

JSON

To clipboard

{
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2024-32883",
         ],
         details: "MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image.  The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have. As a workaround, disable the boot record functionality. ",
         id: "GSD-2024-32883",
         modified: "2024-04-20T05:02:00.245397Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "security-advisories@github.com",
            ID: "CVE-2024-32883",
            STATE: "PUBLIC",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "mcuboot",
                              version: {
                                 version_data: [
                                    {
                                       version_affected: "=",
                                       version_value: "<= 1.11.0",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "mcu-tools",
                  },
               ],
            },
         },
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image.  The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have. As a workaround, disable the boot record functionality. ",
               },
            ],
         },
         impact: {
            cvss: [
               {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 7.7,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "LOW",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H",
                  version: "3.1",
               },
            ],
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        cweId: "CWE-354",
                        lang: "eng",
                        value: "CWE-354: Improper Validation of Integrity Check Value",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j",
                  refsource: "MISC",
                  url: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j",
               },
            ],
         },
         source: {
            advisory: "GHSA-m59c-q9gq-rh2j",
            discovery: "UNKNOWN",
         },
      },
      "nvd.nist.gov": {
         cve: {
            descriptions: [
               {
                  lang: "en",
                  value: "MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image.  The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have. As a workaround, disable the boot record functionality. ",
               },
            ],
            id: "CVE-2024-32883",
            lastModified: "2024-04-26T21:15:49.630",
            metrics: {
               cvssMetricV31: [
                  {
                     cvssData: {
                        attackComplexity: "HIGH",
                        attackVector: "LOCAL",
                        availabilityImpact: "HIGH",
                        baseScore: 7.7,
                        baseSeverity: "HIGH",
                        confidentialityImpact: "LOW",
                        integrityImpact: "HIGH",
                        privilegesRequired: "LOW",
                        scope: "CHANGED",
                        userInteraction: "NONE",
                        vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H",
                        version: "3.1",
                     },
                     exploitabilityScore: 1.1,
                     impactScore: 6,
                     source: "security-advisories@github.com",
                     type: "Secondary",
                  },
               ],
            },
            published: "2024-04-26T21:15:49.630",
            references: [
               {
                  source: "security-advisories@github.com",
                  url: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j",
               },
            ],
            sourceIdentifier: "security-advisories@github.com",
            vulnStatus: "Received",
            weaknesses: [
               {
                  description: [
                     {
                        lang: "en",
                        value: "CWE-354",
                     },
                  ],
                  source: "security-advisories@github.com",
                  type: "Secondary",
               },
            ],
         },
      },
   },
}

fkie_cve-2024-32883

Vulnerability from fkie_nvd

Published

2024-04-26 21:15

Modified

2024-11-21 09:15

Severity ?

7.7 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image.  The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have. As a workaround, disable the boot record functionality. ",
      },
      {
         lang: "es",
         value: "MCUboot es un gestor de arranque seguro para microcontroladores de 32 bits. MCUboot utiliza una estructura TLV (etiqueta-longitud-valor) para representar los metadatos asociados con una imagen. Los propios TLV se dividen en dos secciones, una sección protegida y otra desprotegida. Las entradas TLV protegidas se incluyen como parte de la firma de la imagen para evitar manipulaciones. Sin embargo, el código no distingue qué entradas TLV deben protegerse o no, por lo que es posible que un atacante agregue entradas TLV desprotegidas que deberían protegerse. Actualmente, las entradas TLV protegidas principales deben ser la indicación de dependencia y el registro de inicio. Un valor de dependencia inyectado daría como resultado principalmente el rechazo de una imagen que de otro modo sería aceptable. Una inyección de registro de inicio podría permitir que los campos de un registro de atestación posterior incluyan datos no deseados, lo que podría hacer que una imagen parezca tener propiedades que no debería tener. Como workaround, desactive la función de registro de inicio.",
      },
   ],
   id: "CVE-2024-32883",
   lastModified: "2024-11-21T09:15:56.057",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 7.7,
               baseSeverity: "HIGH",
               confidentialityImpact: "LOW",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.1,
            impactScore: 6,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
      ],
   },
   published: "2024-04-26T21:15:49.630",
   references: [
      {
         source: "security-advisories@github.com",
         url: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Awaiting Analysis",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-354",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
   ],
}

sca-2024-0004

Vulnerability from csaf_sick

Published

2024-11-07 12:00

Modified

2024-11-07 12:00

Summary

Third party vulnerabilities in SICK CDE-100

Notes

summary

The SICK CDE-100 uses the open-source libraries FreeRTOS, lwIP and MCU Boot. The used libraries contain vulnerabilities that affect the SICK CDE-100.

General Security Measures

As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.

Vulnerability Classification

SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer’s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.

JSON

To clipboard

{
   document: {
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en-US",
      notes: [
         {
            category: "summary",
            text: "The SICK CDE-100 uses the open-source libraries FreeRTOS, lwIP and MCU Boot. The used libraries contain vulnerabilities that affect the SICK CDE-100.",
            title: "summary",
         },
         {
            category: "general",
            text: "As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.",
            title: "General Security Measures",
         },
         {
            category: "general",
            text: "SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer’s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.",
            title: "Vulnerability Classification",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "psirt@sick.de",
         issuing_authority: "SICK PSIRT is responsible for any vulnerabilities related to SICK products.",
         name: "SICK PSIRT",
         namespace: "https://sick.com/psirt",
      },
      references: [
         {
            summary: "SICK PSIRT Security Advisories",
            url: "https://sick.com/psirt",
         },
         {
            summary: "SICK Operating Guidelines",
            url: "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF",
         },
         {
            summary: "ICS-CERT recommended practices on Industrial Security",
            url: "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices",
         },
         {
            summary: "CVSS v3.1 Calculator",
            url: "https://www.first.org/cvss/calculator/3.1",
         },
         {
            category: "self",
            summary: "The canonical URL.",
            url: "https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0004.json",
         },
      ],
      title: "Third party vulnerabilities in SICK CDE-100",
      tracking: {
         current_release_date: "2024-11-07T12:00:00.000Z",
         generator: {
            date: "2024-11-07T14:07:12.361Z",
            engine: {
               name: "Secvisogram",
               version: "2.5.14",
            },
         },
         id: "SCA-2024-0004",
         initial_release_date: "2024-11-07T12:00:00.000Z",
         revision_history: [
            {
               date: "2024-11-07T12:00:00.000Z",
               number: "1",
               summary: "Initial version",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "vers:all/*",
                        product: {
                           name: "SICK CDE-100 all versions",
                           product_id: "CSAFPID-0001",
                           product_identification_helper: {
                              skus: [
                                 "1134028",
                              ],
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "CDE-100",
               },
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "vers:all/*",
                        product: {
                           name: "SICK CDE-100 Firmware all versions",
                           product_id: "CSAFPID-0002",
                        },
                     },
                  ],
                  category: "product_name",
                  name: "CDE-100 Firmware",
               },
            ],
            category: "vendor",
            name: "SICK AG",
         },
      ],
      relationships: [
         {
            category: "installed_on",
            full_product_name: {
               name: "SICK CDE-100 all Firmware versions",
               product_id: "CSAFPID-0003",
            },
            product_reference: "CSAFPID-0002",
            relates_to_product_reference: "CSAFPID-0001",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2021-31571",
         cwe: {
            id: "CWE-190",
            name: "Integer Overflow or Wraparound",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in queue.c for queue creation.",
               title: "Summary",
            },
         ],
         product_status: {
            under_investigation: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "NVD Entry",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-31571",
            },
         ],
         remediations: [
            {
               category: "workaround",
               details: "SICK is still investigating if the CDE-100 is affected by this vulnerability.\n\nPlease make sure that you apply general security practices when operating the CDE-100 like network segmentation. The following General Security Practices and Operating Guidelines\ncould mitigate the associated security risk.",
               product_ids: [
                  "CSAFPID-0003",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 9.8,
                  environmentalSeverity: "CRITICAL",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  temporalScore: 9.8,
                  temporalSeverity: "CRITICAL",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "FreeRTOS vulnerabilitiy ",
      },
      {
         cve: "CVE-2021-31572",
         cwe: {
            id: "CWE-190",
            name: "Integer Overflow or Wraparound",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in stream_buffer.c for a stream buffer.",
               title: "Summary",
            },
         ],
         product_status: {
            under_investigation: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "NVD Entry",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-31572",
            },
         ],
         remediations: [
            {
               category: "workaround",
               details: "SICK is still investigating if the CDE-100 is affected by this vulnerability.\n\nPlease make sure that you apply general security practices when operating the CDE-100 like network segmentation. The following General Security Practices and Operating Guidelines\ncould mitigate the associated security risk.",
               product_ids: [
                  "CSAFPID-0003",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 9.8,
                  environmentalSeverity: "CRITICAL",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  temporalScore: 9.8,
                  temporalSeverity: "CRITICAL",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "FreeRTOS vulnerabilitiy ",
      },
      {
         cve: "CVE-2021-32020",
         cwe: {
            id: "CWE-119",
            name: "Improper Restriction of Operations within the Bounds of a Memory Buffer",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "The kernel in Amazon Web Services FreeRTOS before 10.4.3 has insufficient bounds checking during management of heap memory.",
               title: "Summary",
            },
         ],
         product_status: {
            under_investigation: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "NVD Entry",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-32020",
            },
         ],
         remediations: [
            {
               category: "workaround",
               details: "SICK is still investigating if the CDE-100 is affected by this vulnerability.\n\nPlease make sure that you apply general security practices when operating the CDE-100 like network segmentation. The following General Security Practices and Operating Guidelines\ncould mitigate the associated security risk.",
               product_ids: [
                  "CSAFPID-0003",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 9.8,
                  environmentalSeverity: "CRITICAL",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  temporalScore: 9.8,
                  temporalSeverity: "CRITICAL",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "FreeRTOS vulnerabilitiy ",
      },
      {
         cve: "CVE-2021-43997",
         cwe: {
            id: "CWE-269",
            name: "Improper Privilege Management",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "FreeRTOS versions 10.2.0 through 10.4.5 do not prevent non-kernel code from calling the xPortRaisePrivilege internal function to raise privilege. FreeRTOS versions through 10.4.6 do not prevent a third party that has already independently gained the ability to execute injected code to achieve further privilege escalation by branching directly inside a FreeRTOS MPU API wrapper function with a manually crafted stack frame. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with MPU support enabled (i.e. configENABLE_MPU set to 1). These are fixed in V10.5.0 and in V10.4.3-LTS Patch 3.",
               title: "Summary",
            },
         ],
         product_status: {
            known_not_affected: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "NVD Entry",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-43997",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 7.8,
                  environmentalSeverity: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  temporalScore: 7.8,
                  temporalSeverity: "HIGH",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "FreeRTOS vulnerabilitiy ",
      },
      {
         cve: "CVE-2021-27504",
         cwe: {
            id: "CWE-190",
            name: "Integer Overflow or Wraparound",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "Texas Instruments devices running FREERTOS, malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'malloc' for FreeRTOS, resulting in code execution.",
               title: "Summary",
            },
         ],
         product_status: {
            known_not_affected: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "NVD Entry",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-27504",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 7.8,
                  environmentalSeverity: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  temporalScore: 7.8,
                  temporalSeverity: "HIGH",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "FreeRTOS vulnerabilitiy ",
      },
      {
         cve: "CVE-2020-22284",
         cwe: {
            id: "CWE-120",
            name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2.1.2 allows attackers to access sensitive information via a crafted 6LoWPAN packet.",
               title: "Summary",
            },
         ],
         product_status: {
            known_not_affected: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "NVD Entry",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2020-22284",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 7.5,
                  environmentalSeverity: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  temporalScore: 7.5,
                  temporalSeverity: "HIGH",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "Free Software Foundation lwIP vulnerability",
      },
      {
         cve: "CVE-2020-22283",
         cwe: {
            id: "CWE-1120",
            name: "Excessive Code Complexity",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "A buffer overflow vulnerability in the icmp6_send_response_with_addrs_and_netif() function of Free Software Foundation lwIP version git head allows attackers to access sensitive information via a crafted ICMPv6 packet.",
               title: "Summary",
            },
         ],
         product_status: {
            known_not_affected: [
               "CSAFPID-0003",
            ],
         },
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 7.5,
                  environmentalSeverity: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  temporalScore: 7.5,
                  temporalSeverity: "HIGH",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "Free Software Foundation lwIP vulnerability",
      },
      {
         cve: "CVE-2021-3399",
         cwe: {
            id: "CWE-1321",
            name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "The MCUboot project uses hard-coded public/private keys as an aid to developers. Although documented that anyone producing a product using MCUboot should create their own keys, the build system does not encourage this, and it is very easy to produce a product using these keys.",
               title: "Summary",
            },
         ],
         product_status: {
            known_not_affected: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "GitHub Entry",
               url: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-gcxh-546h-phg4",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "ADJACENT_NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.6,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 9.7,
                  environmentalSeverity: "CRITICAL",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  temporalScore: 9.6,
                  temporalSeverity: "CRITICAL",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "MCU Boot vulnerability",
      },
      {
         cve: "CVE-2021-3890",
         cwe: {
            id: "CWE-680",
            name: "Integer Overflow to Buffer Overflow",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "In case MCUBOOT_MEASURED_BOOT is defined the TLV structure is parsed in order to retrieve the information from the image in flash and use it for saving the status information.\n\nTwo TLV fields are retrieved by the mcuboot, namely IMAGE_TLV_BOOT_RECORD and IMAGE_TLV_SHA256. Since the length of the TLV field is defined by the TLV itself it is possible that length record_len in IMAGE_TLV_BOOT_RECORD is reasonably arbitrary.\n\nThe TLV data in the image stored in flash cannot be fully trusted since there is no authentication of the TLV data performed by the mcuboot bootloader. In case of an external SPI flash the tlv data can be easily modified by the attacker as well.\n\nThe value record_len is checked to be not larger than the receiving buffer buf, but not checked if it is smaller than the expected length.\n\nIn case record_len is smaller than sizeof(image_hash) integer underflow will take place resulting in a negative value interpreted as an unsigned value. Once the offset is added to the pointer buff the destination pointer value will overflow and up to 31 bytes of attacker controlled data will be written on the stack out of bounds, resulting in the stack memory corruption and depending on the stack layout can lead to an arbitrary code execution.",
            },
         ],
         product_status: {
            under_investigation: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "GitHub Entry",
               url: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-8hrv-4cp5-4rg3",
            },
         ],
         remediations: [
            {
               category: "workaround",
               details: "SICK is currently investigating whether the CDE-100 is impacted by this vulnerability.\n\nPlease make sure that you apply general security practices when operating the CDE-100 like network segmentation. The following General Security Practices and Operating Guidelines\ncould mitigate the associated security risk.",
               product_ids: [
                  "CSAFPID-0003",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "PHYSICAL",
                  availabilityImpact: "LOW",
                  baseScore: 4.8,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  environmentalScore: 4.8,
                  environmentalSeverity: "MEDIUM",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  temporalScore: 4.8,
                  temporalSeverity: "MEDIUM",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "MCU Boot vulnerability",
      },
      {
         cve: "CVE-2024-32883",
         cwe: {
            id: "CWE-354",
            name: "Improper Validation of Integrity Check Value",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image. The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have.",
               title: "Summary",
            },
         ],
         product_status: {
            under_investigation: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "GitHub Entry",
               url: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j",
            },
         ],
         remediations: [
            {
               category: "workaround",
               details: "SICK is currently investigating whether the CDE-100 is impacted by this vulnerability.\n\nPlease make sure that you apply general security practices when operating the CDE-100 like network segmentation. The following General Security Practices and Operating Guidelines\ncould mitigate the associated security risk.",
               product_ids: [
                  "CSAFPID-0003",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 7.7,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "LOW",
                  environmentalScore: 7.7,
                  environmentalSeverity: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  temporalScore: 7.7,
                  temporalSeverity: "HIGH",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "MCU Boot vulnerability",
      },
   ],
}

SCA-2024-0004

Vulnerability from csaf_sick

Published

2024-11-07 12:00

Modified

2024-11-07 12:00

Summary

Third party vulnerabilities in SICK CDE-100

Notes

summary

The SICK CDE-100 uses the open-source libraries FreeRTOS, lwIP and MCU Boot. The used libraries contain vulnerabilities that affect the SICK CDE-100.

General Security Measures

Vulnerability Classification

JSON

To clipboard

{
   document: {
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en-US",
      notes: [
         {
            category: "summary",
            text: "The SICK CDE-100 uses the open-source libraries FreeRTOS, lwIP and MCU Boot. The used libraries contain vulnerabilities that affect the SICK CDE-100.",
            title: "summary",
         },
         {
            category: "general",
            text: "As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.",
            title: "General Security Measures",
         },
         {
            category: "general",
            text: "SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer’s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.",
            title: "Vulnerability Classification",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "psirt@sick.de",
         issuing_authority: "SICK PSIRT is responsible for any vulnerabilities related to SICK products.",
         name: "SICK PSIRT",
         namespace: "https://sick.com/psirt",
      },
      references: [
         {
            summary: "SICK PSIRT Security Advisories",
            url: "https://sick.com/psirt",
         },
         {
            summary: "SICK Operating Guidelines",
            url: "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF",
         },
         {
            summary: "ICS-CERT recommended practices on Industrial Security",
            url: "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices",
         },
         {
            summary: "CVSS v3.1 Calculator",
            url: "https://www.first.org/cvss/calculator/3.1",
         },
         {
            category: "self",
            summary: "The canonical URL.",
            url: "https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0004.json",
         },
      ],
      title: "Third party vulnerabilities in SICK CDE-100",
      tracking: {
         current_release_date: "2024-11-07T12:00:00.000Z",
         generator: {
            date: "2024-11-07T14:07:12.361Z",
            engine: {
               name: "Secvisogram",
               version: "2.5.14",
            },
         },
         id: "SCA-2024-0004",
         initial_release_date: "2024-11-07T12:00:00.000Z",
         revision_history: [
            {
               date: "2024-11-07T12:00:00.000Z",
               number: "1",
               summary: "Initial version",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "vers:all/*",
                        product: {
                           name: "SICK CDE-100 all versions",
                           product_id: "CSAFPID-0001",
                           product_identification_helper: {
                              skus: [
                                 "1134028",
                              ],
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "CDE-100",
               },
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "vers:all/*",
                        product: {
                           name: "SICK CDE-100 Firmware all versions",
                           product_id: "CSAFPID-0002",
                        },
                     },
                  ],
                  category: "product_name",
                  name: "CDE-100 Firmware",
               },
            ],
            category: "vendor",
            name: "SICK AG",
         },
      ],
      relationships: [
         {
            category: "installed_on",
            full_product_name: {
               name: "SICK CDE-100 all Firmware versions",
               product_id: "CSAFPID-0003",
            },
            product_reference: "CSAFPID-0002",
            relates_to_product_reference: "CSAFPID-0001",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2021-31571",
         cwe: {
            id: "CWE-190",
            name: "Integer Overflow or Wraparound",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in queue.c for queue creation.",
               title: "Summary",
            },
         ],
         product_status: {
            under_investigation: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "NVD Entry",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-31571",
            },
         ],
         remediations: [
            {
               category: "workaround",
               details: "SICK is still investigating if the CDE-100 is affected by this vulnerability.\n\nPlease make sure that you apply general security practices when operating the CDE-100 like network segmentation. The following General Security Practices and Operating Guidelines\ncould mitigate the associated security risk.",
               product_ids: [
                  "CSAFPID-0003",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 9.8,
                  environmentalSeverity: "CRITICAL",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  temporalScore: 9.8,
                  temporalSeverity: "CRITICAL",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "FreeRTOS vulnerabilitiy ",
      },
      {
         cve: "CVE-2021-31572",
         cwe: {
            id: "CWE-190",
            name: "Integer Overflow or Wraparound",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in stream_buffer.c for a stream buffer.",
               title: "Summary",
            },
         ],
         product_status: {
            under_investigation: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "NVD Entry",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-31572",
            },
         ],
         remediations: [
            {
               category: "workaround",
               details: "SICK is still investigating if the CDE-100 is affected by this vulnerability.\n\nPlease make sure that you apply general security practices when operating the CDE-100 like network segmentation. The following General Security Practices and Operating Guidelines\ncould mitigate the associated security risk.",
               product_ids: [
                  "CSAFPID-0003",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 9.8,
                  environmentalSeverity: "CRITICAL",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  temporalScore: 9.8,
                  temporalSeverity: "CRITICAL",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "FreeRTOS vulnerabilitiy ",
      },
      {
         cve: "CVE-2021-32020",
         cwe: {
            id: "CWE-119",
            name: "Improper Restriction of Operations within the Bounds of a Memory Buffer",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "The kernel in Amazon Web Services FreeRTOS before 10.4.3 has insufficient bounds checking during management of heap memory.",
               title: "Summary",
            },
         ],
         product_status: {
            under_investigation: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "NVD Entry",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-32020",
            },
         ],
         remediations: [
            {
               category: "workaround",
               details: "SICK is still investigating if the CDE-100 is affected by this vulnerability.\n\nPlease make sure that you apply general security practices when operating the CDE-100 like network segmentation. The following General Security Practices and Operating Guidelines\ncould mitigate the associated security risk.",
               product_ids: [
                  "CSAFPID-0003",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 9.8,
                  environmentalSeverity: "CRITICAL",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  temporalScore: 9.8,
                  temporalSeverity: "CRITICAL",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "FreeRTOS vulnerabilitiy ",
      },
      {
         cve: "CVE-2021-43997",
         cwe: {
            id: "CWE-269",
            name: "Improper Privilege Management",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "FreeRTOS versions 10.2.0 through 10.4.5 do not prevent non-kernel code from calling the xPortRaisePrivilege internal function to raise privilege. FreeRTOS versions through 10.4.6 do not prevent a third party that has already independently gained the ability to execute injected code to achieve further privilege escalation by branching directly inside a FreeRTOS MPU API wrapper function with a manually crafted stack frame. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with MPU support enabled (i.e. configENABLE_MPU set to 1). These are fixed in V10.5.0 and in V10.4.3-LTS Patch 3.",
               title: "Summary",
            },
         ],
         product_status: {
            known_not_affected: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "NVD Entry",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-43997",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 7.8,
                  environmentalSeverity: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  temporalScore: 7.8,
                  temporalSeverity: "HIGH",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "FreeRTOS vulnerabilitiy ",
      },
      {
         cve: "CVE-2021-27504",
         cwe: {
            id: "CWE-190",
            name: "Integer Overflow or Wraparound",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "Texas Instruments devices running FREERTOS, malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'malloc' for FreeRTOS, resulting in code execution.",
               title: "Summary",
            },
         ],
         product_status: {
            known_not_affected: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "NVD Entry",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-27504",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 7.8,
                  environmentalSeverity: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  temporalScore: 7.8,
                  temporalSeverity: "HIGH",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "FreeRTOS vulnerabilitiy ",
      },
      {
         cve: "CVE-2020-22284",
         cwe: {
            id: "CWE-120",
            name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2.1.2 allows attackers to access sensitive information via a crafted 6LoWPAN packet.",
               title: "Summary",
            },
         ],
         product_status: {
            known_not_affected: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "NVD Entry",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2020-22284",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 7.5,
                  environmentalSeverity: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  temporalScore: 7.5,
                  temporalSeverity: "HIGH",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "Free Software Foundation lwIP vulnerability",
      },
      {
         cve: "CVE-2020-22283",
         cwe: {
            id: "CWE-1120",
            name: "Excessive Code Complexity",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "A buffer overflow vulnerability in the icmp6_send_response_with_addrs_and_netif() function of Free Software Foundation lwIP version git head allows attackers to access sensitive information via a crafted ICMPv6 packet.",
               title: "Summary",
            },
         ],
         product_status: {
            known_not_affected: [
               "CSAFPID-0003",
            ],
         },
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 7.5,
                  environmentalSeverity: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  temporalScore: 7.5,
                  temporalSeverity: "HIGH",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "Free Software Foundation lwIP vulnerability",
      },
      {
         cve: "CVE-2021-3399",
         cwe: {
            id: "CWE-1321",
            name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "The MCUboot project uses hard-coded public/private keys as an aid to developers. Although documented that anyone producing a product using MCUboot should create their own keys, the build system does not encourage this, and it is very easy to produce a product using these keys.",
               title: "Summary",
            },
         ],
         product_status: {
            known_not_affected: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "GitHub Entry",
               url: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-gcxh-546h-phg4",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "ADJACENT_NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.6,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  environmentalScore: 9.7,
                  environmentalSeverity: "CRITICAL",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  temporalScore: 9.6,
                  temporalSeverity: "CRITICAL",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "MCU Boot vulnerability",
      },
      {
         cve: "CVE-2021-3890",
         cwe: {
            id: "CWE-680",
            name: "Integer Overflow to Buffer Overflow",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "In case MCUBOOT_MEASURED_BOOT is defined the TLV structure is parsed in order to retrieve the information from the image in flash and use it for saving the status information.\n\nTwo TLV fields are retrieved by the mcuboot, namely IMAGE_TLV_BOOT_RECORD and IMAGE_TLV_SHA256. Since the length of the TLV field is defined by the TLV itself it is possible that length record_len in IMAGE_TLV_BOOT_RECORD is reasonably arbitrary.\n\nThe TLV data in the image stored in flash cannot be fully trusted since there is no authentication of the TLV data performed by the mcuboot bootloader. In case of an external SPI flash the tlv data can be easily modified by the attacker as well.\n\nThe value record_len is checked to be not larger than the receiving buffer buf, but not checked if it is smaller than the expected length.\n\nIn case record_len is smaller than sizeof(image_hash) integer underflow will take place resulting in a negative value interpreted as an unsigned value. Once the offset is added to the pointer buff the destination pointer value will overflow and up to 31 bytes of attacker controlled data will be written on the stack out of bounds, resulting in the stack memory corruption and depending on the stack layout can lead to an arbitrary code execution.",
            },
         ],
         product_status: {
            under_investigation: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "GitHub Entry",
               url: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-8hrv-4cp5-4rg3",
            },
         ],
         remediations: [
            {
               category: "workaround",
               details: "SICK is currently investigating whether the CDE-100 is impacted by this vulnerability.\n\nPlease make sure that you apply general security practices when operating the CDE-100 like network segmentation. The following General Security Practices and Operating Guidelines\ncould mitigate the associated security risk.",
               product_ids: [
                  "CSAFPID-0003",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "PHYSICAL",
                  availabilityImpact: "LOW",
                  baseScore: 4.8,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  environmentalScore: 4.8,
                  environmentalSeverity: "MEDIUM",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  temporalScore: 4.8,
                  temporalSeverity: "MEDIUM",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "MCU Boot vulnerability",
      },
      {
         cve: "CVE-2024-32883",
         cwe: {
            id: "CWE-354",
            name: "Improper Validation of Integrity Check Value",
         },
         notes: [
            {
               audience: "all",
               category: "summary",
               text: "MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image. The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have.",
               title: "Summary",
            },
         ],
         product_status: {
            under_investigation: [
               "CSAFPID-0003",
            ],
         },
         references: [
            {
               category: "external",
               summary: "GitHub Entry",
               url: "https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j",
            },
         ],
         remediations: [
            {
               category: "workaround",
               details: "SICK is currently investigating whether the CDE-100 is impacted by this vulnerability.\n\nPlease make sure that you apply general security practices when operating the CDE-100 like network segmentation. The following General Security Practices and Operating Guidelines\ncould mitigate the associated security risk.",
               product_ids: [
                  "CSAFPID-0003",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 7.7,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "LOW",
                  environmentalScore: 7.7,
                  environmentalSeverity: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  temporalScore: 7.7,
                  temporalSeverity: "HIGH",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-0003",
               ],
            },
         ],
         title: "MCU Boot vulnerability",
      },
   ],
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2024-32883

Vulnerability from cvelistv5

gsd-2024-32883

Vulnerability from gsd

fkie_cve-2024-32883

Vulnerability from fkie_nvd

sca-2024-0004

Vulnerability from csaf_sick

SCA-2024-0004

Vulnerability from csaf_sick

Tags

Sightings

Nomenclature