Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
8.8
CVSSv3

CVE-2019-13916

Published: 13/04/2020 Updated: 22/04/2020
CVSS v2 Base Score: 5.8 | Impact Score: 6.4 | Exploitability Score: 6.5
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 516
Vector: AV:A/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

An issue exists in Cypress (formerly Broadcom) WICED Studio 6.2 CYW20735B1 and CYW20819A1. As a Bluetooth Low Energy (BLE) packet is received, it is copied into a Heap (ThreadX Block) buffer. The buffer allocated in dhmulp_getRxBuffer is four bytes too small to hold the maximum of 255 bytes plus headers. It is possible to corrupt a pointer in the linked list holding the free buffers of the g_mm_BLEDeviceToHostPool Block pool. This pointer can be fully controlled by overflowing with 3 bytes of packet data and the first byte of the packet CRC checksum. The checksum can be freely chosen by adapting the packet data accordingly. An attacker might be able to allocate the overwritten address as a receive buffer resulting in a write-what-where condition. This is fixed in BT SDK2.4 and BT SDK2.45.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

cypress wiced_studio 6.2

Github Repositories

https://github.com/seemoo-lab/frankenstein

Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging

Frankenstein provides a virtual environment to fuzz wireless firmwares Firmwares can be hooked during runtime to extract their current state (ie, xmitstate through InternalBlue) Then, they can be re-executed in a virtual environment for fuzzing To do so, the firmware image needs to be reassembled to an ELF file that can be executed with QEMU The firmware image reassembly

References

CWE-787https://github.com/seemoo-lab/frankenstein/blob/master/doc/CVE_2019_13916.mdhttps://community.cypress.com/thread/53681https://nvd.nist.govhttps://github.com/seemoo-lab/frankenstein
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-49223CVE-2024-0044information disclosureCVE-2024-35753HTML injectionCVE-2024-21306CVE-2024-35733SQL injectionCVE-2024-35732
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook