.. _vulnerabilities_2021: CVE-2021 ######## :cve:`2021-3319` ---------------- DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses Improper processing of omitted source and destination addresses in ieee802154 frame validation (ieee802154_validate_frame) This has been fixed in main for v2.5.0 - `Zephyr project bug tracker GHSA-94jg-2p6q-5364 `_ - `PR31908 fix for main `_ :cve:`2021-3320` ---------------- Mismatch between validation and handling of 802154 ACK frames, where ACK frames are considered during validation, but not during actual processing, leading to a type confusion. - `PR31908 fix for main `_ :cve:`2021-3321` ---------------- Incomplete check of minimum IEEE 802154 fragment size leading to an integer underflow. - `Zephyr project bug tracker ZEPSEC-114 `_ - `PR33453 fix for v2.4 `_ :cve:`2021-3323` ---------------- Integer Underflow in 6LoWPAN IPHC Header Uncompression This has been fixed in main for v2.5.0 - `Zephyr project bug tracker GHSA-89j6-qpxf-pfpc `_ - `PR 31971 fix for main `_ :cve:`2021-3430` ---------------- Assertion reachable with repeated LL_CONNECTION_PARAM_REQ. This has been fixed in main for v2.6.0 - `Zephyr project bug tracker GHSA-46h3-hjcq-2jjr `_ - `PR 33272 fix for main `_ - `PR 33369 fix for 2.5 `_ - `PR 33759 fix for 1.14.2 `_ :cve:`2021-3431` ---------------- BT: Assertion failure on repeated LL_FEATURE_REQ This has been fixed in main for v2.6.0 - `Zephyr project bug tracker GHSA-7548-5m6f-mqv9 `_ - `PR 33340 fix for main `_ - `PR 33369 fix for 2.5 `_ :cve:`2021-3432` ---------------- Invalid interval in CONNECT_IND leads to Division by Zero This has been fixed in main for v2.6.0 - `Zephyr project bug tracker GHSA-7364-p4wc-8mj4 `_ - `PR 33278 fix for main `_ - `PR 33369 fix for 2.5 `_ :cve:`2021-3433` ---------------- BT: Invalid channel map in CONNECT_IND results to Deadlock This has been fixed in main for v2.6.0 - `Zephyr project bug tracker GHSA-3c2f-w4v6-qxrp `_ - `PR 33278 fix for main `_ - `PR 33369 fix for 2.5 `_ :cve:`2021-3434` ---------------- L2CAP: Stack based buffer overflow in le_ecred_conn_req() This has been fixed in main for v2.6.0 - `Zephyr project bug tracker GHSA-8w87-6rfp-cfrm `_ - `PR 33305 fix for main `_ - `PR 33419 fix for 2.5 `_ - `PR 33418 fix for 1.14.2 `_ :cve:`2021-3435` ---------------- L2CAP: Information leakage in le_ecred_conn_req() This has been fixed in main for v2.6.0 - `Zephyr project bug tracker GHSA-xhg3-gvj6-4rqh `_ - `PR 33305 fix for main `_ - `PR 33419 fix for 2.5 `_ - `PR 33418 fix for 1.14.2 `_ :cve:`2021-3436` ---------------- Bluetooth: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known During the distribution of the identity address information we don’t check for an existing bond with the same identity address.This means that a duplicate entry will be created in RAM while the newest entry will overwrite the existing one in persistent storage. This has been fixed in main for v2.6.0 - `Zephyr project bug tracker GHSA-j76f-35mc-4h63 `_ - `PR 33266 fix for main `_ - `PR 33432 fix for 2.5 `_ - `PR 33433 fix for 2.4 `_ - `PR 33718 fix for 1.14.2 `_ :cve:`2021-3454` ---------------- Truncated L2CAP K-frame causes assertion failure For example, sending L2CAP K-frame where SDU length field is truncated to only one byte, causes assertion failure in previous releases of Zephyr. This has been fixed in master by commit 0ba9437 but has not yet been backported to older release branches. This has been fixed in main for v2.6.0 - `Zephyr project bug tracker GHSA-fx88-6c29-vrp3 `_ - `PR 32588 fix for main `_ - `PR 33513 fix for 2.5 `_ - `PR 33514 fix for 2.4 `_ :cve:`2021-3455` ---------------- Disconnecting L2CAP channel right after invalid ATT request leads freeze When Central device connects to peripheral and creates L2CAP connection for Enhanced ATT, sending some invalid ATT request and disconnecting immediately causes freeze. This has been fixed in main for v2.6.0 - `Zephyr project bug tracker GHSA-7g38-3x9v-v7vp `_ - `PR 35597 fix for main `_ - `PR 36104 fix for 2.5 `_ - `PR 36105 fix for 2.4 `_ :cve:`2021-3510` ---------------- Zephyr JSON decoder incorrectly decodes array of array When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token type JSON_TOK_LIST_START, but then assigns to the object part of the union. arr_parse then takes the offset of the array-object (which has nothing todo with the list) treats it as relative to the parent object, and stores the length of the subarray in there. This has been fixed in main for v2.7.0 - `Zephyr project bug tracker GHSA-289f-7mw3-2qf4 `_ - `PR 36340 fix for main `_ - `PR 37816 fix for 2.6 `_ :cve:`2021-3581` ---------------- HCI data not properly checked leads to memory overflow in the Bluetooth stack In the process of setting SCAN_RSP through the HCI command, the Zephyr Bluetooth protocol stack did not effectively check the length of the incoming HCI data. Causes memory overflow, and then the data in the memory is overwritten, and may even cause arbitrary code execution. This has been fixed in main for v2.6.0 - `Zephyr project bug tracker GHSA-8q65-5gqf-fmw5 `_ - `PR 35935 fix for main `_ - `PR 35984 fix for 2.5 `_ - `PR 35985 fix for 2.4 `_ - `PR 35985 fix for 1.14 `_ :cve:`2021-3625` ---------------- Buffer overflow in Zephyr USB DFU DNLOAD This has been fixed in main for v2.6.0 - `Zephyr project bug tracker GHSA-c3gr-hgvr-f363 `_ - `PR 36694 fix for main `_ :cve:`2021-3835` ---------------- Buffer overflow in Zephyr USB device class This has been fixed in main for v3.0.0 - `Zephyr project bug tracker GHSA-fm6v-8625-99jf `_ - `PR 42093 fix for main `_ - `PR 42167 fix for 2.7 `_ :cve:`2021-3861` ---------------- Buffer overflow in the RNDIS USB device class This has been fixed in main for v3.0.0 - `Zephyr project bug tracker GHSA-hvfp-w4h8-gxvj `_ - `PR 39725 fix for main `_ :cve:`2021-3966` ---------------- Usb bluetooth device ACL read cb buffer overflow This has been fixed in main for v3.0.0 - `Zephyr project bug tracker GHSA-hfxq-3w6x-fv2m `_ - `PR 42093 fix for main `_ - `PR 42167 fix for v2.7.0 `_