OST2, Zephyr RTOS, and a bunch of CVEs

“When hackers tell me it’s so hard to find bugs, I tell them to stop looking for hard bugs.”
— Dave Aitel

Summary

The Zephyr Project is an open source collaborative effort sponsored by the Linux Foundation. It unites developers and users in building a best-in-class, small, scalable, real-time operating system (RTOS) optimized for resource-constrained IoT devices, across multiple microcontroller architectures.

I reviewed Zephyr’s source code hosted on GitHub and identified multiple security vulnerabilities that may cause memory corruption. Their impacts range from denial of service to potential arbitrary code execution.

My detailed advisory is available here: https://github.com/hnsecurity/vulns/blob/main/HNS-2023-03-zephyr.txt

Background

After my recent, less than pleasant coordinated disclosure experiences, I became fed up with having to deal with commercial vendors. In my endless endeavor to become a better security researcher, I decided to try to meaningfully contribute to open source projects instead.

At about the same time, I stumbled upon the OpenSecurityTraining2 (OST2) project that provides world-class, free security training. While going through their awesome (and much recommended!) Vulns1001 and Vulns1002 training courses, I discovered the Zephyr Project. It immediately piqued my interest and therefore I decided to review its source code.

During the review, I made heavy use of my Semgrep C/C++ ruleset to identify hotspots in code on which to focus my attention. I also took advantage of this opportunity to improve the ruleset.

Vulnerabilities

The vulnerabilities resulting from my source code review are:

  • CVE-2023-3725 – Stack buffer overflow vulnerability in the Zephyr CANbus subsystem
  • CVE-2023-4257 – Unchecked user input length in the Zephyr WiFi shell module
  • CVE-2023-4259 – Static buffer overflow vulnerabilities in the Zephyr eS-WiFi driver
  • CVE-2023-4260 – Off-by-one stack buffer overflow vulnerability in the Zephyr FS subsystem
  • CVE-2023-4261 – Unspecified buffer overflow vulnerability in the Zephyr IPC subsystem (unreleased)
  • CVE-2023-4262 – Heap buffer overflow vulnerabilities in the Zephyr Mgmt subsystem
  • CVE-2023-4263 – Stack buffer overflow vulnerability in the Zephyr IEEE 802.15.4 driver
  • CVE-2023-4264 – Static, stack, and heap buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem
  • CVE-2023-4265 – Two buffer overflow vulnerabilities in Zephyr USB code
  • CVE-2023-5139 – Buffer overflow vulnerability in the Zephyr STM32 Crypto driver
  • CVE-2023-5184 – Signed to unsigned conversion errors and stack buffer overflow vulnerabilities in the Zephyr IPM driver
  • CVE-2023-5753 – Static and heap buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem

After all, what better way to celebrate 20 years since my first CVE than with a bunch of brand new CVEs? 😉

For additional information about these vulnerabilities and their fixes, please refer to the detailed advisory.

Disclosure and fixes

I reported the vulnerabilities discussed in this article to the Zephyr Project between May and July 2023, using GitHub’s security advisories feature. Private vulnerability reporting allows security researchers to report vulnerabilities securely in a repository. It’s an excellent way to streamline coordinated disclosure and I wish more maintainers enabled it.

On October 20th, 2023 the Zephyr Project has released version 3.5.0 of their RTOS that contains fixes for all vulnerabilities discussed in this advisory, except for CVE-2023-4265 that was was already fixed in Zephyr 3.4.0 and CVE-2023-4261 that will be addressed in a future update.

Please check the official Zephyr Project channels for further information about fixes and backported patches for older but still maintained releases of the Zephyr RTOS.

Acknowledgments

I would like to thank the Zephyr’s Project development team and Flavio Ceolin in particular for triaging and fixing the reported vulnerabilities.