logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-f366-4rvv-95x2 cryptoauthlib

Package

Manager: pip
Name: cryptoauthlib
Vulnerable Version: >=0 <20200912

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:P/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Buffer overflow in deprecated USB HALs and stack overflow in USB enumeration ### Impact 1) If an application is making use of the deprecated kit protocol HALs as the communication channel to the target device an attacker can masquerade as a device and return malformed packets of arbitrary length which the protocol stack will write to the stack. HALs intended for production use are unaffected (I2C, SWI, & SPI) as well as the hidapi HAL (hal_all_platforms_kit_hidapi.c). 2) The hidapi HAL can be made to overrun the application stack by attaching more than 10 (real or virtual) devices likely resulting in an application crash as this does not allow arbitrary data to be written to the stack. ### Patches USB kit enumeration has been patched in v3.2.3 for the hidapi HAL (hal_all_platforms_kit_hidapi.c). ### Removal of deprecated HALs Deprecated usb kit HALs have been removed in v3.2.3. ### Workarounds This vulnerability is limited to users of the kit protocol which is used with Microchip kits and kit firmware to bridge communication from USB-HID to I2C or SWI. It is not expected that kits would be used in an production environment. This is an optional component for users as well so they can always compile the library without the usb support option. ### Special python packaging notes The python package for cryptoauthlib uses date codes for identifying versions. The patched version for python packages is 20200912 ### References Please see [Microchip PSIRT](https://www.microchip.com/design-centers/embedded-security/how-to-report-potential-product-security-vulnerabilities) for Microchip's security policy and reporting procedures ### Credits Special thanks to Ruben Santamarta of [IOActive](https://blogs.ioactive.com/) for reporting

Metadata

Created: 2020-10-02T16:33:19Z
Modified: 2021-10-04T21:23:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-f366-4rvv-95x2/GHSA-f366-4rvv-95x2.json
CWE IDs: ["CWE-120"]
Alternative ID: N/A
Finding: F316
Auto approve: 1