CVE-2022-39343 - OpenCVE

Azure RTOS FileX is a FAT-compatible file system that’s fully integrated with Azure RTOS ThreadX. In versions before 6.2.0, the Fault Tolerant feature of Azure RTOS FileX includes integer under and overflows which may be exploited to achieve buffer overflow and modify memory contents. When a valid log file with correct ID and checksum is detected by the `_fx_fault_tolerant_enable` function an attempt to recover the previous failed write operation is taken by call of `_fx_fault_tolerant_apply_logs`. This function iterates through the log entries and performs required recovery operations. When properly crafted a log including entries of type `FX_FAULT_TOLERANT_DIR_LOG_TYPE` may be utilized to introduce unexpected behavior. This issue has been patched in version 6.2.0. A workaround to fix line 218 in fx_fault_tolerant_apply_logs.c is documented in the GHSA.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Azure Rtos Filex

Configuration 1 [-]

cpe:2.3:o:microsoft:azure_rtos_filex:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/azure-rtos/filex/blob/master/common/src/fx_fault_tolerant_apply_logs.c#L218	Patch Third Party Advisory
https://github.com/azure-rtos/filex/security/advisories/GHSA-8jqf-wjhq-4w9f	Exploit Mitigation Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-11-08T00:00:00

Updated: 2022-11-08T00:00:00

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39343

JSON object: View

NVD Information

Status : Modified

Published: 2022-11-08T08:15:09.537

Modified: 2023-11-07T03:50:27.067

Link: CVE-2022-39343

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39343", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2022-11-08T00:00:00", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-11-08T00:00:00"}, "containers": {"cna": {"title": "Azure RTOS FileX vulnerable to Buffer Offerflow", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-08T00:00:00"}, "descriptions": [{"lang": "en", "value": "Azure RTOS FileX is a FAT-compatible file system that\u2019s fully integrated with Azure RTOS ThreadX. In versions before 6.2.0, the Fault Tolerant feature of Azure RTOS FileX includes integer under and overflows which may be exploited to achieve buffer overflow and modify memory contents. When a valid log file with correct ID and checksum is detected by the `_fx_fault_tolerant_enable` function an attempt to recover the previous failed write operation is taken by call of `_fx_fault_tolerant_apply_logs`. This function iterates through the log entries and performs required recovery operations. When properly crafted a log including entries of type `FX_FAULT_TOLERANT_DIR_LOG_TYPE` may be utilized to introduce unexpected behavior. This issue has been patched in version 6.2.0. A workaround to fix line 218 in fx_fault_tolerant_apply_logs.c is documented in the GHSA."}], "affected": [{"vendor": "azure-rtos", "product": "filex", "versions": [{"version": "< 6.2.0", "status": "affected"}]}], "references": [{"url": "https://github.com/azure-rtos/filex/security/advisories/GHSA-8jqf-wjhq-4w9f"}, {"url": "https://github.com/azure-rtos/filex/blob/master/common/src/fx_fault_tolerant_apply_logs.c#L218"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "cweId": "CWE-120"}]}], "source": {"advisory": "GHSA-8jqf-wjhq-4w9f", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:azure_rtos_filex:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDA74F57-5852-4584-82B6-FF1D07B311C9", "versionEndExcluding": "6.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Azure RTOS FileX is a FAT-compatible file system that\u2019s fully integrated with Azure RTOS ThreadX. In versions before 6.2.0, the Fault Tolerant feature of Azure RTOS FileX includes integer under and overflows which may be exploited to achieve buffer overflow and modify memory contents. When a valid log file with correct ID and checksum is detected by the `_fx_fault_tolerant_enable` function an attempt to recover the previous failed write operation is taken by call of `_fx_fault_tolerant_apply_logs`. This function iterates through the log entries and performs required recovery operations. When properly crafted a log including entries of type `FX_FAULT_TOLERANT_DIR_LOG_TYPE` may be utilized to introduce unexpected behavior. This issue has been patched in version 6.2.0. A workaround to fix line 218 in fx_fault_tolerant_apply_logs.c is documented in the GHSA."}, {"lang": "es", "value": "Azure RTOS FileX es un sistema de archivos compatible con FAT que est\u00e1 completamente integrado con Azure RTOS ThreadX. En versiones anteriores a la 6.2.0, la caracter\u00edstica Tolerante a fallos de Azure RTOS FileX incluye desbordamientos y subestimaciones de enteros que pueden aprovecharse para lograr un desbordamiento del b\u00fafer y modificar el contenido de la memoria. Cuando la funci\u00f3n `_fx_fault_tolerant_enable` detecta un archivo de registro v\u00e1lido con ID y suma de verificaci\u00f3n correctos, se intenta recuperar la operaci\u00f3n de escritura fallida anterior mediante la llamada de `_fx_fault_tolerant_apply_logs`. Esta funci\u00f3n recorre en iteraci\u00f3n las entradas del registro y realiza las operaciones de recuperaci\u00f3n necesarias. Cuando se elabora correctamente, se puede utilizar un registro que incluya entradas del tipo `FX_FAULT_TOLERANT_DIR_LOG_TYPE` para introducir comportamientos inesperados. Este problema se solucion\u00f3 en la versi\u00f3n 6.2.0. En GHSA se documenta un workaround alternativo para corregir la l\u00ednea 218 en fx_fault_tolerant_apply_logs.c."}], "id": "CVE-2022-39343", "lastModified": "2023-11-07T03:50:27.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-11-08T08:15:09.537", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/azure-rtos/filex/blob/master/common/src/fx_fault_tolerant_apply_logs.c#L218"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/azure-rtos/filex/security/advisories/GHSA-8jqf-wjhq-4w9f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-191"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-120"}], "source": "security-advisories@github.com", "type": "Secondary"}]}