Introduction:
The Azure RTOS USBX is a comprehensive USB host, device, and OTG embedded stack, fully integrated with the Azure RTOS ThreadX real-time operating system. However, prior to version 6.1.12, a critical vulnerability (CVE-2022-39344) potentially allows an attacker to exploit the USB DFU UPLOAD functionality, causing a buffer overflow that could overwrite memory contents, bypass security features, and even execute arbitrary code. This blog post explains the vulnerability in detail, featuring a code snippet, relevant references, and information on how to mitigate the issue.

Vulnerability Details:
The vulnerability stems from the flawed implementation of the ux_device_class_dfu_control_request function that handles the DFU UPLOAD command when the current state is UX_SYSTEM_DFU_STATE_DFU_IDLE. This function does not properly validate the UPLOAD_LENGTH parameter, which may lead to a buffer overflow.

Here's a code snippet showcasing the problem

UINT  ux_device_class_dfu_control_request (...)
{
    ...
    /* Check the current state. */
    if (dfu_instance -> ux_slave_class_dfu_state_machine.ux_system_dfu_state == UX_SYSTEM_DFU_STATE_DFU_IDLE)
    {
        ...
        if (command -> ux_slave_class_command_request_length == UPLOAD_LENGTH)
        {
            ...
        }
        else
        {
            ...
        }
    }
    ...
}

As shown in the code snippet, the check for UPLOAD_LENGTH is only performed when the state is UX_SYSTEM_DFU_STATE_DFU_IDLE, which still allows a buffer overflow to occur in other possible states.

Exploit Details

An attacker with physical access to the USB device may send a maliciously crafted USB control request to exploit this vulnerability. The buffer overflow may enable the attacker to overwrite memory contents, bypass security measures, or execute arbitrary code.

Mitigation

This issue has been patched in Azure RTOS USBX version 6.1.12. Users are advised to upgrade their Azure RTOS USBX to version 6.1.12 to fix this vulnerability.

As a workaround, you can manually add the UPLOAD_LENGTH check into all possible states. This modification helps prevent the buffer overflow during the handling of the DFU UPLOAD command in all states.

1. Azure RTOS USBX 6.1.12 Release Notes
2. CVE Details - CVE-2022-39344
3. NIST National Vulnerability Database - CVE-2022-39344

Conclusion

The CVE-2022-39344 vulnerability in Azure RTOS USBX could allow an attacker to exploit the USB DFU UPLOAD functionality, causing buffer overflow and potential harm. This issue has been patched in version 6.1.12. Upgrade to the latest version and apply the provided workaround to mitigate the risk posed by this vulnerability.

Timeline

Published on: 11/04/2022 20:15:00 UTC
Last modified on: 11/07/2022 17:22:00 UTC