CVE-2024-6563

{"id": "CVE-2024-6563", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}, {"type": "Secondary", "source": "cve@asrg.io", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 0.8}]}, "published": "2024-07-08T16:15:09.210", "references": [{"url": "https://asrg.io/security-advisories/cve-2024-6563/", "tags": ["Third Party Advisory"], "source": "cve@asrg.io"}, {"url": "https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164", "tags": ["Patch"], "source": "cve@asrg.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-120"}]}, {"type": "Secondary", "source": "cve@asrg.io", "description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-123"}]}], "descriptions": [{"lang": "en", "value": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\n\n\n\n\nIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire."}, {"lang": "es", "value": "La vulnerabilidad de copia de b\u00fafer sin verificar el tama\u00f1o de la entrada ('desbordamiento de b\u00fafer cl\u00e1sico') en el firmware arm-trusted-de Renesas permite la ejecuci\u00f3n local de c\u00f3digo. Esta vulnerabilidad est\u00e1 asociada a archivos de programa https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com /renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C. En la l\u00ednea 313 se verifica que \"addr_loaded_cnt\" no sea \"CHECK_IMAGE_AREA_CNT\" (5) o mayor; esta verificaci\u00f3n no detiene la funci\u00f3n. Inmediatamente despu\u00e9s (l\u00ednea 317) habr\u00e1 un desbordamiento en el b\u00fafer y el valor de \"dst\" se escribir\u00e1 en el \u00e1rea inmediatamente despu\u00e9s del b\u00fafer, que es \"addr_loaded_cnt\". Esto permitir\u00e1 a un atacante controlar libremente el valor de \"addr_loaded_cnt\" y as\u00ed controlar el destino de la escritura inmediatamente despu\u00e9s (l\u00ednea 318). La escritura en la l\u00ednea 318 ser\u00e1 entonces totalmente controlada por dicho atacante, con cualquier direcci\u00f3n y cualquier valor (\"len\") que desee."}], "lastModified": "2024-08-22T15:51:55.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:renesas:arm-trusted-firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16A2BDC3-F664-4132-8148-9DB849240F8B"}], "operator": "OR"}]}], "sourceIdentifier": "cve@asrg.io"}