CVE-2022-24937 - How Buffer Overflow in Silicon Labs Ember ZNet Puts IoT Devices at Risk

In today’s connected world, Internet of Things (IoT) security is crucial. A recent vulnerability, CVE-2022-24937, in Silicon Labs’ Ember ZNet protocol stack, puts countless Zigbee and Thread-enabled devices at risk. This vulnerability takes the form of an Improper Restriction of Operations within the Bounds of a Memory Buffer, more commonly known as a buffer overflow. Below, we’ll break down what the issue is, how it can be exploited, and what users and developers can do to protect their devices.

What Is Silicon Labs Ember ZNet?

Silicon Labs Ember ZNet is a popular protocol stack used in Zigbee and Thread devices. It’s found in smart home gadgets, industrial controllers, access points, and more. The stack enables devices to communicate wirelessly and is widely used because of its low power consumption and robust mesh networking features.

What Is a Buffer Overflow?

A buffer overflow happens when data is written outside the allocated boundaries of a memory buffer. This can cause unpredictable behavior, including crashes, data corruption, or even give attackers control over the device.

How Does CVE-2022-24937 Work?

CVE-2022-24937 is categorized as an *Improper Restriction of Operations within the Bounds of a Memory Buffer*. In less technical words, the code does not check properly how much data is being loaded into certain memory spots, letting an attacker send too much data, which overflows into other parts of memory.

Where Is the Vulnerability?

This flaw exists in message parsing functions – specifically when Ember ZNet processes incoming Zigbee frames. The code fails to validate the length of packet data, allowing out-of-bounds writes.

What Could an Attacker Do?

- Cause Device Crashes: Overflowing the buffer can crash the device, causing a denial-of-service (DoS) condition.
- Execute Arbitrary Code: In some cases, buffer overflows can let attackers run their own code on the device. This could allow them to control your smart light, lock, or any other Zigbee-enabled hardware.
- Spread Across Networks: Since Zigbee is a mesh protocol, the exploit may allow malicious payloads to propagate across more devices in the network.

Here is a simplified code snippet inspired by patterns revealed in the vulnerability

#define MAX_PAYLOAD_SIZE 64

void handle_incoming_frame(uint8_t *frame, uint16_t frame_length) {
    uint8_t buffer[MAX_PAYLOAD_SIZE];

    // Vulnerable: No length check on frame_length!
    memcpy(buffer, frame, frame_length);  // Overwrites buffer beyond 64 if frame_length > 64
}

What’s wrong here?
If frame_length is larger than MAX_PAYLOAD_SIZE (which is 64), the memcpy call will overwrite memory beyond buffer, leading to a buffer overflow.

How should it be fixed?

Limit copying to the size of the buffer

memcpy(buffer, frame, (frame_length > MAX_PAYLOAD_SIZE) ? MAX_PAYLOAD_SIZE : frame_length);

A malicious Zigbee node could send a specially crafted frame

# Example pseudocode for attack
malicious_frame = b"\xAA" * 100  # 100 bytes, much more than the 64-byte buffer
zigbee.send_frame(target_device, malicious_frame)

Upon receipt, the target device’s stack overflows the buffer, causing a crash or potentially overwriting control data.

Who Is Affected?

- IoT devices using vulnerable versions of the Ember ZNet stack (often in versions prior to EmberZNet SDK v7.1.3.)

Smart home devices (lights, locks, sensors, plugs)

- Industrial Zigbee/Thread hardware

Device Manufacturer: Check if your device uses Silicon Labs chips or the Ember ZNet stack.

- Firmware Version: Look up your product’s firmware release notes and see if it lists a fix for CVE-2022-24937.

How to Fix

- Update Firmware: Silicon Labs has patched this in updated stacks. Ask your device maker for updates or check their support pages.
- Official Silicon Labs Security Bulletins

Original References

- Silicon Labs Security Advisory – CVE-2022-24937
- MITRE CVE Record
- Ember ZNet SDK Release Notes

Conclusion

CVE-2022-24937 is a classic example of why *memory safety* matters, especially in the world of IoT. Buffer overflows in protocol stacks like Ember ZNet can be devastating – allowing attackers to crash or control your devices at a distance. The best protection is timely firmware updates, safe coding practices, and keeping an eye on network security.

If you manage or use smart Zigbee devices, contact your vendor and make sure all your hardware is patched and protected!

Timeline

Published on: 11/14/2022 18:15:00 UTC
Last modified on: 11/17/2022 22:16:00 UTC