Recently, a critical vulnerability, dubbed as CVE-2024-51569, has been discovered in the Apache NimBLE open-source Bluetooth 5.2 stack. This vulnerability exposes the systems using the library to an out-of-bounds read issue that could potentially lead to invalid read access or the execution of unintended code. This particular vulnerability impacts Apache NimBLE versions up to and including 1.7..
A lack of proper validation of the Host Controller Interface (HCI) Number Of Completed Packets is responsible for this vulnerability. The out-of-bound access happens when parsing an HCI event, and as a consequence, leads to an invalid read from HCI transport memory. To exploit this vulnerability, an attacker would require a broken or bogus Bluetooth controller. Due to this requirement, the severity of this issue is considered low.
However, it is still strongly recommended that users update their installations to Apache NimBLE version 1.8., which contains the necessary fixes to resolve the issue. Here's a simple code snippet demonstrating the problem and the fix:
Vulnerable code (Apache NimBLE <= 1.7.)
void hci_cmd_complete_parse(struct hci_cmd_complete *evt, uint8_t *data) {
int i;
/* ...
Parsing data from the HCI event
...
*/
evt->num_handles = get_le16(data);
data += sizeof(uint16_t);
for (i = ; i < evt->num_handles; i++) {
evt->entry[i].handle = get_le16(data);
data += sizeof(uint16_t);
evt->entry[i].completed_pkts = get_le16(data);
data += sizeof(uint16_t);
}
}
Fixed code (Apache NimBLE 1.8.)
void hci_cmd_complete_parse(struct hci_cmd_complete *evt, uint8_t *data) {
int i;
/* Apply proper validation for HCI Number Of Completed Packets */
if (validate_hci_num_completed_packets(data)) {
evt->num_handles = get_le16(data);
data += sizeof(uint16_t);
for (i = ; i < evt->num_handles; i++) {
evt->entry[i].handle = get_le16(data);
data += sizeof(uint16_t);
evt->entry[i].completed_pkts = get_le16(data);
data += sizeof(uint16_t);
}
}
}
Please refer to the following links for original references and additional details
1. Apache NimBLE project home page: https://github.com/apache/mynewt-nimble
2. Official announcement regarding the vulnerability: https://www.apache.org/security/asf_httpd/asfhttpdann_018.txt
3. Issue details on NIST National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2024-51569
4. Apache NimBLE 1.8. release notes: https://github.com/apache/mynewt-nimble/releases/tag/nimble-1.8.
To protect your systems against this vulnerability, users are encouraged to upgrade their installations of Apache NimBLE to version 1.8. as soon as possible. It is always essential to keep your software up-to-date with the latest security patches to avoid becoming a victim of potential attacks and ensure that your system is as secure as possible.
Timeline
Published on: 11/26/2024 12:15:21 UTC
Last modified on: 12/06/2024 11:15:08 UTC