Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.8
CVSSv3

CVE-2019-18614

Published: 16/06/2020 Updated: 24/06/2020
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 409
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Cyw20735 Firmware

Vulnerability Summary

On the Cypress CYW20735 evaluation board, any data that exceeds 384 bytes is copied and causes an overflow. This is because the maximum BLOC buffer size for sending and receiving data is set to 384 bytes, but everything else is still configured to the usual size of 1092 (which was used for everything in the previous CYW20719 and later CYW20819 evaluation board). To trigger the overflow, an attacker can either send packets over the air or as unprivileged local user. Over the air, the minimal PoC is sending "l2ping -s 600" to the target address prior to any pairing. Locally, the buffer overflow is immediately triggered by opening an ACL or SCO connection to a headset. This occurs because, in WICED Studio 6.2 and 6.4, BT_ACL_HOST_TO_DEVICE_DEFAULT_SIZE and BT_ACL_DEVICE_TO_HOST_DEFAULT_SIZE are set to 384.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

cypress cyw20735_firmware -

Github Repositories

https://github.com/seemoo-lab/frankenstein

Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging

Frankenstein provides a virtual environment to fuzz wireless firmwares Firmwares can be hooked during runtime to extract their current state (ie, xmitstate through InternalBlue) Then, they can be re-executed in a virtual environment for fuzzing To do so, the firmware image needs to be reassembled to an ELF file that can be executed with QEMU The firmware image reassembly

References

CWE-787https://github.com/seemoo-lab/frankenstein/blob/master/doc/CVE_2019_18614.mdhttps://nvd.nist.govhttps://github.com/seemoo-lab/frankenstein
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionSSRFbuffer overflowCVE-2023-28952CVE-2023-41822CVE-2024-27956CVE-2023-7028CVE-2024-34447CVE-2024-34460
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook