CVE-2021-3436 - OpenCVE

BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Zephyrproject	Zephyr

Configuration 1 [-]

OR	cpe:2.3:o:zephyrproject:zephyr:1.14.2:::::::*
	cpe:2.3:o:zephyrproject:zephyr:2.4.0:::::::*
	cpe:2.3:o:zephyrproject:zephyr:2.5.0:::::::*

References

Link	Resource
http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63	Exploit Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: zephyr

Published: 2021-06-11T00:00:00

Updated: 2021-10-05T20:50:15

Reserved: 2021-03-11T00:00:00

Link: CVE-2021-3436

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-10-05T21:15:09.293

Modified: 2021-10-13T12:39:39.973

Link: CVE-2021-3436

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "zephyr", "vendor": "zephyrproject-rtos", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "1.14.2", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "2.4.0", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "2.5.0", "versionType": "custom"}]}], "datePublic": "2021-06-11T00:00:00", "descriptions": [{"lang": "en", "value": "BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-694", "description": "Use of Multiple Resources with Duplicate Identifier (CWE-694)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-05T20:50:15", "orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}], "source": {"defect": ["https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"]}, "title": "BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilities@zephyrproject.org", "DATE_PUBLIC": "2021-06-11T00:00:00.000Z", "ID": "CVE-2021-3436", "STATE": "PUBLIC", "TITLE": "BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "zephyr", "version": {"version_data": [{"version_affected": ">=", "version_value": "1.14.2"}, {"version_affected": ">=", "version_value": "2.4.0"}, {"version_affected": ">=", "version_value": "2.5.0"}]}}]}, "vendor_name": "zephyrproject-rtos"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "environmentalScore": 4.3, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 4.3, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use of Multiple Resources with Duplicate Identifier (CWE-694)"}]}]}, "references": {"reference_data": [{"name": "http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63", "refsource": "MISC", "url": "http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}]}, "source": {"defect": ["https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"]}}}}, "cveMetadata": {"assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "assignerShortName": "zephyr", "cveId": "CVE-2021-3436", "datePublished": "2021-06-11T00:00:00", "dateReserved": "2021-03-11T00:00:00", "dateUpdated": "2021-10-05T20:50:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zephyrproject:zephyr:1.14.2:*:*:*:*:*:*:*", "matchCriteriaId": "B74694FC-5442-4F7E-AACF-0E1753F50148", "vulnerable": true}, {"criteria": "cpe:2.3:o:zephyrproject:zephyr:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "59AB4423-CBB9-4BC1-9FBB-2690DAA3FDF8", "vulnerable": true}, {"criteria": "cpe:2.3:o:zephyrproject:zephyr:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "CAA88796-7B3D-4328-BAFA-D28BFBE601D9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}, {"lang": "es", "value": "BT: Posibilidad de sobrescribir un v\u00ednculo existente durante la fase de distribuci\u00f3n de claves cuando se conoce la direcci\u00f3n de identidad del v\u00ednculo. Zephyr versiones posteriores a 1.14.2 incluy\u00e9ndola, versiones posteriores a 2.4.0 incluy\u00e9ndola, versiones posteriores a 2.5.0 incluy\u00e9ndola, contienen Uso de M\u00faltiples Recursos con Identificador Duplicado (CWE-694). Para m\u00e1s informaci\u00f3n, consulte https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}], "id": "CVE-2021-3436", "lastModified": "2021-10-13T12:39:39.973", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}]}, "published": "2021-10-05T21:15:09.293", "references": [{"source": "vulnerabilities@zephyrproject.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}], "sourceIdentifier": "vulnerabilities@zephyrproject.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-694"}], "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}]}