Skip to content

BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero

High
ceolin published GHSA-xcr5-5g98-mchp Aug 19, 2024

Package

zephyr (west)

Affected versions

<= 3.6

Patched versions

None

Description

Summary

The function llcp_pdu_decode_conn_update_ind in subsys/bluetooth/controller/ll_sw/ull_llcp_pdu.c does not validate the content before using it. An malicious BLE device can crash BLE peripheral's BLE controller by sending malformed LL_CONNECTION_UPDATE_IND packet.

Description

Assume that the controller of peripheral (victim) is currently executing the Central-initiated Connection Parameters
Request procedure.

image

If an attacker sends an malicious LL_CONNECTION_PARAM_IND packet with Interval set to zero to peripheral, then peripheral will process it according to the call sequence below.

  • lp_cu_st_wait_rx_conn_update_ind or rp_cu_st_wait_rx_conn_update_ind . Both of these two function will execute llcp_pdu_decode_conn_update_ind to setup ctx->data.cu.interval_max to zero
  • lp_cu_check_instant or rp_cu_check_instant . Both of these two function will execute cu_update_conn_parameters
  • ull_conn_update_parameters will be executed in cu_update_conn_parameters , and the argument interval of this function will be set to ctx->data.cu.interval_max which is zero. Consequently, when executing latency_upd = conn_interval_old / interval; , a division by zero will be triggered.

crash backtrace screenshot

image

gdb crash screenshot
image

Patches

main: #72608

For more information

If you have any questions or comments about this advisory:

embargo: 2024-08-07

Credits

Reported by Wei Che Kao (Xiaobye), graduate student from National Yang Ming Chiao Tung University, Dept. of CS,
Security and Systems Lab.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVE ID

CVE-2024-4785

Weaknesses

Credits