CVE-2024-45746

{"id": "CVE-2024-45746", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-10-09T17:15:19.727", "references": [{"url": "https://trustedfirmware-m.readthedocs.io/en/latest/security/security_advisories/user_pointers_mailbox_vectors_vulnerability.html", "source": "cve@mitre.org"}, {"url": "https://www.trustedfirmware.org/projects/tf-m/", "source": "cve@mitre.org"}], "vulnStatus": "Undergoing Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-120"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Trusted Firmware-M through 2.1.0. User provided (and controlled) mailbox messages contain a pointer to a list of input arguments (in_vec) and output arguments (out_vec). These list pointers are never validated. Each argument list contains a buffer pointer and a buffer length field. After a PSA call, the length of the output arguments behind the unchecked pointer is updated in mailbox_direct_reply, regardless of the call result. This allows an attacker to write anywhere in the secure firmware, which can be used to take over the control flow, leading to remote code execution (RCE)."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Trusted Firmware-M hasta 2.1.0. Los mensajes de buz\u00f3n proporcionados (y controlados) por el usuario contienen un puntero a una lista de argumentos de entrada (in_vec) y argumentos de salida (out_vec). Estos punteros de lista nunca se validan. Cada lista de argumentos contiene un puntero de b\u00fafer y un campo de longitud de b\u00fafer. Despu\u00e9s de una llamada PSA, la longitud de los argumentos de salida detr\u00e1s del puntero sin marcar se actualiza en mailbox_direct_reply, independientemente del resultado de la llamada. Esto permite que un atacante escriba en cualquier parte del firmware seguro, lo que se puede utilizar para tomar el control del flujo de control, lo que conduce a la ejecuci\u00f3n remota de c\u00f3digo (RCE)."}], "lastModified": "2024-10-11T21:36:34.350", "sourceIdentifier": "cve@mitre.org"}