CVE-2021-22636 - OpenCVE

Texas Instruments TI-RTOS, when configured to use HeapMem heap(default), malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'HeapMem_allocUnprotected' and result in code execution.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Ti	Simplelink Cc26xx Software Development Kit Cc3230s Simplelink Msp432e411y Real-time Operating System Cc3220r Cc3235s Cc3235sf Simplelink Msp432e401y Cc3230sf Cc3200 Cc3220s Simplelink Cc13xx Software Development Kit Cc3220sf Simplelink Cc32xx Software Development Kit

Configuration 1 [-]

AND

cpe:2.3:o:ti:real-time_operating_system:-:*:*:*:*:*:*:*

OR	cpe:2.3:h:ti:cc3200:-:::::::*
	cpe:2.3:h:ti:cc3220r:-:::::::*
	cpe:2.3:h:ti:cc3220s:-:::::::*
	cpe:2.3:h:ti:cc3220sf:-:::::::*
	cpe:2.3:h:ti:cc3230s:-:::::::*
	cpe:2.3:h:ti:cc3230sf:-:::::::*
	cpe:2.3:h:ti:cc3235s:-:::::::*
	cpe:2.3:h:ti:cc3235sf:-:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:ti:simplelink_cc13xx_software_development_kit::::::::
	cpe:2.3:a:ti:simplelink_cc26xx_software_development_kit::::::::
	cpe:2.3:a:ti:simplelink_cc32xx_software_development_kit::::::::
	cpe:2.3:a:ti:simplelink_msp432e401y:-:::::::*
	cpe:2.3:a:ti:simplelink_msp432e411y:-:::::::*

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-21-119-04	Third Party Advisory US Government Resource
https://www.ti.com/tool/TI-RTOS-MCU	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2023-11-20T19:02:30.434Z

Updated: 2023-11-20T19:04:56.253Z

Reserved: 2021-01-05T18:23:02.914Z

Link: CVE-2021-22636

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-11-20T19:15:08.173

Modified: 2023-12-01T20:53:55.453

Link: CVE-2021-22636

JSON object: View

Redhat Information

No data.

CWE

CWE-190

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2021-22636", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2021-01-05T18:23:02.914Z", "datePublished": "2023-11-20T19:02:30.434Z", "dateUpdated": "2023-11-20T19:04:56.253Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CC32XX", "vendor": "Texas Instruments", "versions": [{"lessThan": "4.40.00.07", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "SimpleLink MSP432E4XX", "vendor": "Texas Instruments", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "SimpleLink-CC13XX", "vendor": "Texas Instruments", "versions": [{"lessThan": "4.40.00", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "SimpleLink-CC26XX", "vendor": "Texas Instruments", "versions": [{"lessThan": "4.40.00", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "SimpleLink-CC32XX", "vendor": "Texas Instruments", "versions": [{"lessThan": "4.10.03", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David Atch, Omri Ben Bassat, and Tamir Ariel from Microsoft Section 52, and the Azure Defender for IoT research group reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">Texas Instruments TI-RTOS, when configured to use HeapMem heap(default), malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'HeapMem_allocUnprotected' and result in code execution. </span>\n\n</span>\n\n</span>\n\n</span>\n\n"}], "value": "\n\n\n\n\n\n\nTexas Instruments TI-RTOS, when configured to use HeapMem heap(default), malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'HeapMem_allocUnprotected' and result in code execution. \n\n\n\n\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-11-20T19:04:56.253Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-119-04"}, {"url": "https://www.ti.com/tool/TI-RTOS-MCU"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Texas Instruments CC32XX \u2013 Update to v4.40.00.07</div><div>Texas Instruments SimpleLink CC13X0 \u2013 <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html\">Update to v4.10.03</a></div><div>Texas Instruments SimpleLink CC13X2-CC26X2 \u2013 <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html\">Update to v4.40.00</a></div><div>Texas Instruments SimpleLink CC2640R2 \u2013 <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html\">Update to v4.40.00</a></div><div>Texas Instruments SimpleLink MSP432E4 \u2013 Confirmed. No update currently planned</div>\n\n<br>"}], "value": "Texas Instruments CC32XX \u2013 Update to v4.40.00.07\n\nTexas Instruments SimpleLink CC13X0 \u2013 Update to v4.10.03 https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html \n\nTexas Instruments SimpleLink CC13X2-CC26X2 \u2013 Update to v4.40.00 https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html \n\nTexas Instruments SimpleLink CC2640R2 \u2013 Update to v4.40.00 https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html \n\nTexas Instruments SimpleLink MSP432E4 \u2013 Confirmed. No update currently planned\n\n\n\n\n"}], "source": {"discovery": "EXTERNAL"}, "title": "Texas Instruments TI-RTOS Integer Overflow or Wraparound", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ti:real-time_operating_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "E289611E-871B-433E-BF10-CDABF650AAC9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ti:cc3200:-:*:*:*:*:*:*:*", "matchCriteriaId": "E1738237-A64A-40A3-B201-7E0005CCA3A2", "vulnerable": false}, {"criteria": "cpe:2.3:h:ti:cc3220r:-:*:*:*:*:*:*:*", "matchCriteriaId": "D436F6E3-B044-457E-B67D-9C76105F0847", "vulnerable": false}, {"criteria": "cpe:2.3:h:ti:cc3220s:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE6E103B-F34A-477C-907D-B4EAE295D90E", "vulnerable": false}, {"criteria": "cpe:2.3:h:ti:cc3220sf:-:*:*:*:*:*:*:*", "matchCriteriaId": "71ABA01C-4CB1-4DD5-9263-79A58BED3A9B", "vulnerable": false}, {"criteria": "cpe:2.3:h:ti:cc3230s:-:*:*:*:*:*:*:*", "matchCriteriaId": "E34FD25E-D5C2-40F0-81E2-A8A102934E8C", "vulnerable": false}, {"criteria": "cpe:2.3:h:ti:cc3230sf:-:*:*:*:*:*:*:*", "matchCriteriaId": "3408EEBE-25EC-4CEA-8E96-DCFF7C66B3F6", "vulnerable": false}, {"criteria": "cpe:2.3:h:ti:cc3235s:-:*:*:*:*:*:*:*", "matchCriteriaId": "370E65A3-17A4-4E05-BB4A-6C09BB5249CA", "vulnerable": false}, {"criteria": "cpe:2.3:h:ti:cc3235sf:-:*:*:*:*:*:*:*", "matchCriteriaId": "B06F9E6A-690D-4E95-ADD4-927995EE5523", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ti:simplelink_cc13xx_software_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "97B4CA27-1024-4347-8C0B-A8848950CB5B", "versionEndExcluding": "4.40.00", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:simplelink_cc26xx_software_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "BCC0C102-7DCB-4959-91C6-ECA8429BB1A2", "versionEndExcluding": "4.40.00", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:simplelink_cc32xx_software_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "61CF4AB1-347E-42F9-89FB-350445ED7E70", "versionEndExcluding": "4.10.03", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:simplelink_msp432e401y:-:*:*:*:*:*:*:*", "matchCriteriaId": "538BC9EE-7C51-41CC-9A58-5FEB3261EF7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:simplelink_msp432e411y:-:*:*:*:*:*:*:*", "matchCriteriaId": "EC7C493D-DAC1-4FBD-A056-C9D5CF98F9E0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\nTexas Instruments TI-RTOS, when configured to use HeapMem heap(default), malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'HeapMem_allocUnprotected' and result in code execution. \n\n\n\n\n\n\n\n"}, {"lang": "es", "value": "Texas Instruments TI-RTOS, cuando se configura para usar el heap HeapMem (predeterminado), malloc devuelve un puntero v\u00e1lido a un b\u00fafer peque\u00f1o en valores extremadamente grandes, lo que puede desencadenar una vulnerabilidad de desbordamiento de enteros en 'HeapMem_allocUnprotected' y provocar la ejecuci\u00f3n de c\u00f3digo."}], "id": "CVE-2021-22636", "lastModified": "2023-12-01T20:53:55.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2023-11-20T19:15:08.173", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-119-04"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://www.ti.com/tool/TI-RTOS-MCU"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-190"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}