CVE-2024-53980 (GCVE-0-2024-53980)
Vulnerability from cvelistv5
Published
2024-11-29 18:56
Modified
2024-12-02 11:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Summary
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A malicious actor can send a IEEE 802.15.4 packet with spoofed length byte and optionally spoofed FCS, which eventually results into an endless loop on a CC2538 as receiver. Before PR #20998, the receiver would check for the location of the CRC bit using the packet length byte by considering all 8 bits, instead of discarding bit 7, which is what the radio does. This then results into reading outside of the RX FIFO. Although it prints an error when attempting to read outside of the RX FIFO, it will continue doing this. This may lead to a discrepancy in the CRC check according to the firmware and the radio. If the CPU judges the CRC as correct and the radio is set to `AUTO_ACK`, when the packet requests and acknowledgment the CPU will go into the state `CC2538_STATE_TX_ACK`. However, if the radio judged the CRC as incorrect, it will not send an acknowledgment, and thus the `TXACKDONE` event will not fire. It will then never return to the state `CC2538_STATE_READY` since the baseband processing is still disabled. Then the CPU will be in an endless loop. Since setting to idle is not forced, it won't do it if the radio's state is not `CC2538_STATE_READY`. A fix has not yet been made.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "riot",
"vendor": "riot-os",
"versions": [
{
"lessThanOrEqual": "2024.07",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53980",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T11:05:59.654739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T11:06:19.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RIOT",
"vendor": "RIOT-OS",
"versions": [
{
"status": "affected",
"version": "\u003c= 2024.07"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A malicious actor can send a IEEE 802.15.4 packet with spoofed length byte and optionally spoofed FCS, which eventually results into an endless loop on a CC2538 as receiver. Before PR #20998, the receiver would check for the location of the CRC bit using the packet length byte by considering all 8 bits, instead of discarding bit 7, which is what the radio does. This then results into reading outside of the RX FIFO. Although it prints an error when attempting to read outside of the RX FIFO, it will continue doing this. This may lead to a discrepancy in the CRC check according to the firmware and the radio. If the CPU judges the CRC as correct and the radio is set to `AUTO_ACK`, when the packet requests and acknowledgment the CPU will go into the state `CC2538_STATE_TX_ACK`. However, if the radio judged the CRC as incorrect, it will not send an acknowledgment, and thus the `TXACKDONE` event will not fire. It will then never return to the state `CC2538_STATE_READY` since the baseband processing is still disabled. Then the CPU will be in an endless loop. Since setting to idle is not forced, it won\u0027t do it if the radio\u0027s state is not `CC2538_STATE_READY`. A fix has not yet been made."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-29T18:56:57.584Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-m75q-8vj8-wppw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-m75q-8vj8-wppw"
},
{
"name": "https://github.com/RIOT-OS/RIOT/pull/20998",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RIOT-OS/RIOT/pull/20998"
},
{
"name": "https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L183",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L183"
},
{
"name": "https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L417",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L417"
},
{
"name": "https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L419",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L419"
},
{
"name": "https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L421-L422",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L421-L422"
},
{
"name": "https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/sys/net/link_layer/ieee802154/submac.c#L149",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/sys/net/link_layer/ieee802154/submac.c#L149"
}
],
"source": {
"advisory": "GHSA-m75q-8vj8-wppw",
"discovery": "UNKNOWN"
},
"title": "Spoofed length byte traps CC2538 in endless loop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53980",
"datePublished": "2024-11-29T18:56:57.584Z",
"dateReserved": "2024-11-25T23:14:36.379Z",
"dateUpdated": "2024-12-02T11:06:19.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53980\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-02T11:05:59.654739Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*\"], \"vendor\": \"riot-os\", \"product\": \"riot\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2024.07\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-02T11:05:27.872Z\"}}], \"cna\": {\"title\": \"Spoofed length byte traps CC2538 in endless loop\", \"source\": {\"advisory\": \"GHSA-m75q-8vj8-wppw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"RIOT-OS\", \"product\": \"RIOT\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 2024.07\"}]}], \"references\": [{\"url\": \"https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-m75q-8vj8-wppw\", \"name\": \"https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-m75q-8vj8-wppw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/RIOT-OS/RIOT/pull/20998\", \"name\": \"https://github.com/RIOT-OS/RIOT/pull/20998\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L183\", \"name\": \"https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L183\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L417\", \"name\": \"https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L417\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L419\", \"name\": \"https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L419\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L421-L422\", \"name\": \"https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/cpu/cc2538/radio/cc2538_rf_radio_ops.c#L421-L422\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/sys/net/link_layer/ieee802154/submac.c#L149\", \"name\": \"https://github.com/RIOT-OS/RIOT/blob/1a418ccfedeb79dbce1d79f49e63a28906184794/sys/net/link_layer/ieee802154/submac.c#L149\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A malicious actor can send a IEEE 802.15.4 packet with spoofed length byte and optionally spoofed FCS, which eventually results into an endless loop on a CC2538 as receiver. Before PR #20998, the receiver would check for the location of the CRC bit using the packet length byte by considering all 8 bits, instead of discarding bit 7, which is what the radio does. This then results into reading outside of the RX FIFO. Although it prints an error when attempting to read outside of the RX FIFO, it will continue doing this. This may lead to a discrepancy in the CRC check according to the firmware and the radio. If the CPU judges the CRC as correct and the radio is set to `AUTO_ACK`, when the packet requests and acknowledgment the CPU will go into the state `CC2538_STATE_TX_ACK`. However, if the radio judged the CRC as incorrect, it will not send an acknowledgment, and thus the `TXACKDONE` event will not fire. It will then never return to the state `CC2538_STATE_READY` since the baseband processing is still disabled. Then the CPU will be in an endless loop. Since setting to idle is not forced, it won\u0027t do it if the radio\u0027s state is not `CC2538_STATE_READY`. A fix has not yet been made.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-835\", \"description\": \"CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-29T18:56:57.584Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-53980\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-02T11:06:19.121Z\", \"dateReserved\": \"2024-11-25T23:14:36.379Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-29T18:56:57.584Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…