CVE-2018-18068 - OpenCVE

The ARM-based hardware debugging feature on Raspberry Pi 3 module B+ and possibly other devices allows non-secure EL1 code to read/write any EL3 (the highest privilege level in ARMv8) memory/register via inter-processor debugging. With a debug host processor A running in non-secure EL1 and a debug target processor B running in any privilege level, the debugging feature allows A to halt B and promote B to any privilege level. As a debug host, A has full control of B even if B owns a higher privilege level than A. Accordingly, A can read/write any EL3 memory/register via B. Also, with this memory access, A can execute arbitrary code in EL3.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Raspberrypi	Raspberry Pi 3 Model B\+ Raspberry Pi 3 Model B\+ Firmware

Configuration 1 [-]

AND

cpe:2.3:o:raspberrypi:raspberry_pi_3_model_b\+_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:raspberrypi:raspberry_pi_3_model_b\+:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.cs.wayne.edu/fengwei/paper/nailgun-sp19.pdf	Exploit Technical Description Third Party Advisory
https://www.computer.org/csdl/proceedings-article/sp/2019/666000b157/17D45WHONhv	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-04-04T19:13:46

Updated: 2019-04-04T19:13:46

Reserved: 2018-10-08T00:00:00

Link: CVE-2018-18068

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-04-04T20:29:00.220

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-18068

JSON object: View

Redhat Information

No data.

CWE

CWE-668

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-01-28T00:00:00", "descriptions": [{"lang": "en", "value": "The ARM-based hardware debugging feature on Raspberry Pi 3 module B+ and possibly other devices allows non-secure EL1 code to read/write any EL3 (the highest privilege level in ARMv8) memory/register via inter-processor debugging. With a debug host processor A running in non-secure EL1 and a debug target processor B running in any privilege level, the debugging feature allows A to halt B and promote B to any privilege level. As a debug host, A has full control of B even if B owns a higher privilege level than A. Accordingly, A can read/write any EL3 memory/register via B. Also, with this memory access, A can execute arbitrary code in EL3."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-04-04T19:13:46", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.computer.org/csdl/proceedings-article/sp/2019/666000b157/17D45WHONhv"}, {"tags": ["x_refsource_MISC"], "url": "http://www.cs.wayne.edu/fengwei/paper/nailgun-sp19.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-18068", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The ARM-based hardware debugging feature on Raspberry Pi 3 module B+ and possibly other devices allows non-secure EL1 code to read/write any EL3 (the highest privilege level in ARMv8) memory/register via inter-processor debugging. With a debug host processor A running in non-secure EL1 and a debug target processor B running in any privilege level, the debugging feature allows A to halt B and promote B to any privilege level. As a debug host, A has full control of B even if B owns a higher privilege level than A. Accordingly, A can read/write any EL3 memory/register via B. Also, with this memory access, A can execute arbitrary code in EL3."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.computer.org/csdl/proceedings-article/sp/2019/666000b157/17D45WHONhv", "refsource": "MISC", "url": "https://www.computer.org/csdl/proceedings-article/sp/2019/666000b157/17D45WHONhv"}, {"name": "http://www.cs.wayne.edu/fengwei/paper/nailgun-sp19.pdf", "refsource": "MISC", "url": "http://www.cs.wayne.edu/fengwei/paper/nailgun-sp19.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-18068", "datePublished": "2019-04-04T19:13:46", "dateReserved": "2018-10-08T00:00:00", "dateUpdated": "2019-04-04T19:13:46", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:raspberrypi:raspberry_pi_3_model_b\\+_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "2C0914D7-A1AE-42A4-B8D3-DAD85DB4CA13", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:raspberrypi:raspberry_pi_3_model_b\\+:-:*:*:*:*:*:*:*", "matchCriteriaId": "05303822-9252-471C-9209-7DBB593A3874", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The ARM-based hardware debugging feature on Raspberry Pi 3 module B+ and possibly other devices allows non-secure EL1 code to read/write any EL3 (the highest privilege level in ARMv8) memory/register via inter-processor debugging. With a debug host processor A running in non-secure EL1 and a debug target processor B running in any privilege level, the debugging feature allows A to halt B and promote B to any privilege level. As a debug host, A has full control of B even if B owns a higher privilege level than A. Accordingly, A can read/write any EL3 memory/register via B. Also, with this memory access, A can execute arbitrary code in EL3."}, {"lang": "es", "value": "La funcionalidad de depuraci\u00f3n de hardware basada en ARM en el m\u00f3dulo B+ de Raspberry Pi 3 y, posiblemente otros dispositivos, permite que un c\u00f3digo EL1 inseguro lea/escriba cualquier memoria/registro EL3 (el nivel de privilegios m\u00e1s alto en ARMv8) mediante un proceso de depuraci\u00f3n de interprocesador. Con un procesador de depuraci\u00f3n host \"A\" que opera con c\u00f3digo EL1 inseguro y un procesador de depuraci\u00f3n objetivo B que opera con cualquier nivel de privilegios, la funcionalidad de depuraci\u00f3n permite a \"A\" detener \"B\" y asciende \"B\" a cualquier nivel de privilegios. Como host de depuraci\u00f3n, A tiene el control total sobre B aunque B posee a nivel de privilegios m\u00e1s alto que A. Por consiguiente, A puede leer/escribir cualquier memoria/registro EL3 a trav\u00e9s de B. Asimismo, con este acceso a la memoria, A puede ejecutar c\u00f3digo arbitrario en EL3 tambi\u00e9n."}], "id": "CVE-2018-18068", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-04T20:29:00.220", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "http://www.cs.wayne.edu/fengwei/paper/nailgun-sp19.pdf"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.computer.org/csdl/proceedings-article/sp/2019/666000b157/17D45WHONhv"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}]}