15 matches found
EUVD-2020-2524
Malware in sbrugna...
EUVD-2020-2487
Malware in sbrugna...
Zephyr Code Execution Vulnerability
Zephyr is an open source, small, scalable real-time operating system from the Linux Foundation. A security vulnerability exists in Zephyr versions 2.1.0 and later and 2.2.0 and later. An attacker can exploit this vulnerability by sending a malformed JSON file to the UpdateHub server to cause a...
Zephyr Trust Management Issues Vulnerabilities
Zephyr is an open source, small, scalable real-time operating system from the Linux Foundation. A trust management issue vulnerability exists in the UpdateHub module in Zephyr 2.1.0 and later fixed in version 2.2.0, which stems from the program disabling DTLS peer checking. An attacker could use...
CVE-2020-10060
In updatehubprobe, right after JSON parsing is complete, objects\1 is accessed from the output structure in two different places. If the JSON contained less than two elements, this access would reference unitialized stack memory. This could result in a crash, denial of service, or possibly an...
CVE-2020-10022
A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could result in a denial of service in the best case, or code execution in the worst case. See NCC-NCC-016 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later...
CVE-2020-10059
The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr versi...
CVE-2020-10059
The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr versi...
Memory corruption
A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could result in a denial of service in the best case, or code execution in the worst case. See NCC-NCC-016 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later...
Code injection
The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr versi...
CVE-2020-10059 UpdateHub Module Explicitly Disables TLS Verification
The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr versi...
CVE-2020-10060 UpdateHub Might Dereference An Uninitialized Pointer
In updatehubprobe, right after JSON parsing is complete, objects\1 is accessed from the output structure in two different places. If the JSON contained less than two elements, this access would reference unitialized stack memory. This could result in a crash, denial of service, or possibly an...
CVE-2020-10059
CVE-2020-10059 affects Zephyr Project RTOS (2.1.0 and later) via the UpdateHub module, which disables DTLS peer checking. This enables a man-in-the-middle risk, mitigated by firmware signatures, with no shown exploit details in the documents. The issue sits with the UpdateHub component and is lin...
CVE-2020-10022 UpdateHub Module Copies a Variable-Size Hash String Into a Fixed-Size Array
A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could result in a denial of service in the best case, or code execution in the worst case. See NCC-NCC-016 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later...
CVE-2020-10022
CVE-2020-10022 affects Zephyr OS (zephyrproject-rtos) via a malformed JSON payload received from an UpdateHub server, causing memory corruption. This leads to either denial of service or potential code execution in Zephyr versions 2.1.0 and later (including 2.2.0+). Root cause described across co...