FKIE_CVE-2023-46256

Vulnerability from fkie_nvd - Published: 2023-10-31 16:15 - Updated: 2024-11-21 08:28
Severity ?
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
PX4-Autopilot provides PX4 flight control solution for drones. In versions 1.14.0-rc1 and prior, PX4-Autopilot has a heap buffer overflow vulnerability in the parser function due to the absence of `parserbuf_index` value checking. A malfunction of the sensor device can cause a heap buffer overflow with leading unexpected drone behavior. Malicious applications can exploit the vulnerability even if device sensor malfunction does not occur. Up to the maximum value of an `unsigned int`, bytes sized data can be written to the heap memory area. As of time of publication, no fixed version is available.
References
security-advisories@github.comhttps://github.com/PX4/PX4-Autopilot/blob/main/src/drivers/distance_sensor/lightware_laser_serial/parser.cpp#L87Product
security-advisories@github.comhttps://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-5hvv-q2r5-rppwExploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/PX4/PX4-Autopilot/blob/main/src/drivers/distance_sensor/lightware_laser_serial/parser.cpp#L87Product
af854a3a-2127-422b-91ae-364da2661108https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-5hvv-q2r5-rppwExploit, Vendor Advisory
Impacted products
Vendor Product Version
dronecode px4_drone_autopilot *
dronecode px4_drone_autopilot 1.14.0
dronecode px4_drone_autopilot 1.14.0
dronecode px4_drone_autopilot 1.14.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "78D98550-9561-4A71-9D2F-1BCE023C983D",
              "versionEndIncluding": "1.13.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.14.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "1F0BC4DF-E761-446E-917E-D9313606B783",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.14.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "FAD25F65-00AF-418E-9B14-87893CA453F5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.14.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "37546352-3A66-483D-93CB-90F474E683B7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PX4-Autopilot provides PX4 flight control solution for drones. In versions 1.14.0-rc1 and prior, PX4-Autopilot has a heap buffer overflow vulnerability in the parser function due to the absence of `parserbuf_index` value checking. A malfunction of the sensor device can cause a heap buffer overflow with leading unexpected drone behavior. Malicious applications can exploit the vulnerability even if device sensor malfunction does not occur. Up to the maximum value of an `unsigned int`, bytes sized data can be written to the heap memory area. As of time of publication, no fixed version is available."
    },
    {
      "lang": "es",
      "value": "PX4-Autopilot proporciona una soluci\u00f3n de control de vuelo PX4 para drones. En las versiones 1.14.0-rc1 y anteriores, PX4-Autopilot tiene una vulnerabilidad de desbordamiento del b\u00fafer de mont\u00f3n en la funci\u00f3n del analizador debido a la ausencia de verificaci\u00f3n del valor `parserbuf_index`. Un mal funcionamiento del dispositivo sensor puede provocar un desbordamiento del b\u00fafer de almacenamiento din\u00e1mico, lo que provocar\u00e1 un comportamiento inesperado del dron. Las aplicaciones maliciosas pueden aprovechar la vulnerabilidad incluso si no se produce un mal funcionamiento del sensor del dispositivo. Hasta el valor m\u00e1ximo de un `unsigned int`, se pueden escribir datos de tama\u00f1o de bytes en el \u00e1rea de memoria del mont\u00f3n. Al momento de la publicaci\u00f3n, no hay ninguna versi\u00f3n fija disponible."
    }
  ],
  "id": "CVE-2023-46256",
  "lastModified": "2024-11-21T08:28:11.033",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-10-31T16:15:10.080",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/PX4/PX4-Autopilot/blob/main/src/drivers/distance_sensor/lightware_laser_serial/parser.cpp#L87"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-5hvv-q2r5-rppw"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/PX4/PX4-Autopilot/blob/main/src/drivers/distance_sensor/lightware_laser_serial/parser.cpp#L87"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-5hvv-q2r5-rppw"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-120"
        },
        {
          "lang": "en",
          "value": "CWE-122"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.