CVE-2021-27208 - OpenCVE

When booting a Zync-7000 SOC device from nand flash memory, the nand driver in the ROM does not validate the inputs when reading in any parameters in the nand’s parameter page. IF a field read in from the parameter page is too large, this causes a buffer overflow that could lead to arbitrary code execution. Physical access and modification of the board assembly on which the Zynq-7000 SoC device mounted is needed to replace the original NAND flash memory with a NAND flash emulation device for this attack to be successful.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Xilinx	Zynq-7000 Zynq-7000s Firmware Zynq-7000s Zynq-7000 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:xilinx:zynq-7000s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:xilinx:zynq-7000s:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:xilinx:zynq-7000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:xilinx:zynq-7000:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.onfi.org/specifications	Not Applicable
https://www.xilinx.com/products/silicon-devices/soc/zynq-7000.html	Product Vendor Advisory
https://www.xilinx.com/support/answers/76201.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-15T12:27:26

Updated: 2021-03-24T15:47:07

Reserved: 2021-02-12T00:00:00

Link: CVE-2021-27208

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-03-15T13:15:14.967

Modified: 2021-03-30T12:52:36.440

Link: CVE-2021-27208

JSON object: View

Redhat Information

No data.

CWE

CWE-120

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "When booting a Zync-7000 SOC device from nand flash memory, the nand driver in the ROM does not validate the inputs when reading in any parameters in the nand\u2019s parameter page. IF a field read in from the parameter page is too large, this causes a buffer overflow that could lead to arbitrary code execution. Physical access and modification of the board assembly on which the Zynq-7000 SoC device mounted is needed to replace the original NAND flash memory with a NAND flash emulation device for this attack to be successful."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-24T15:47:07", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.xilinx.com/products/silicon-devices/soc/zynq-7000.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.xilinx.com/support/answers/76201.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.onfi.org/specifications"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-27208", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When booting a Zync-7000 SOC device from nand flash memory, the nand driver in the ROM does not validate the inputs when reading in any parameters in the nand\u2019s parameter page. IF a field read in from the parameter page is too large, this causes a buffer overflow that could lead to arbitrary code execution. Physical access and modification of the board assembly on which the Zynq-7000 SoC device mounted is needed to replace the original NAND flash memory with a NAND flash emulation device for this attack to be successful."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.xilinx.com/products/silicon-devices/soc/zynq-7000.html", "refsource": "MISC", "url": "https://www.xilinx.com/products/silicon-devices/soc/zynq-7000.html"}, {"name": "https://www.xilinx.com/support/answers/76201.html", "refsource": "MISC", "url": "https://www.xilinx.com/support/answers/76201.html"}, {"name": "http://www.onfi.org/specifications", "refsource": "MISC", "url": "http://www.onfi.org/specifications"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-27208", "datePublished": "2021-03-15T12:27:26", "dateReserved": "2021-02-12T00:00:00", "dateUpdated": "2021-03-24T15:47:07", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:xilinx:zynq-7000s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "59B1D2D0-34CB-4BAA-982C-FFEBCA5C7A76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:xilinx:zynq-7000s:-:*:*:*:*:*:*:*", "matchCriteriaId": "5B820E50-D48F-47C1-BC7F-2823E4948674", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:xilinx:zynq-7000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "74141029-1B75-4D78-B1AE-9FCB0BA8498B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:xilinx:zynq-7000:-:*:*:*:*:*:*:*", "matchCriteriaId": "A733B279-FD2C-4F20-B220-4D42CD82AB35", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "When booting a Zync-7000 SOC device from nand flash memory, the nand driver in the ROM does not validate the inputs when reading in any parameters in the nand\u2019s parameter page. IF a field read in from the parameter page is too large, this causes a buffer overflow that could lead to arbitrary code execution. Physical access and modification of the board assembly on which the Zynq-7000 SoC device mounted is needed to replace the original NAND flash memory with a NAND flash emulation device for this attack to be successful."}, {"lang": "es", "value": "Cuando se arranca un dispositivo Zync-7000 SOC desde la memoria flash nand, el controlador nand en la ROM no comprueba las entradas cuando se leen en par\u00e1metros any en la p\u00e1gina de par\u00e1metros nand. SI un campo le\u00eddo desde la p\u00e1gina de par\u00e1metros es demasiado grande, esto causa un desbordamiento del b\u00fafer que podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo arbitraria. Es necesario un acceso f\u00edsico y modificaci\u00f3n al dispositivo Zynq-7000 para reemplazar la memoria flash nand original con un emulador flash nand para que este ataque tenga \u00e9xito"}], "id": "CVE-2021-27208", "lastModified": "2021-03-30T12:52:36.440", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-15T13:15:14.967", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "http://www.onfi.org/specifications"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.xilinx.com/products/silicon-devices/soc/zynq-7000.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.xilinx.com/support/answers/76201.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}]}