Threadx Usbx
CVE-2022-36063
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Azure RTOS USBx is a USB host, device, and on-the-go (OTG) embedded stack, fully integrated with Azure RTOS ThreadX and available for all Azure RTOS ThreadX-supported processors. Azure RTOS USBX implementation of host support for USB CDC ECM includes an integer underflow and a buffer overflow in the _ux_host_class_cdc_ecm_mac_address_get function which may be potentially exploited to achieve remote code execution or denial of service. Setting mac address string descriptor length to a 0 or 1 allows an attacker to introduce an integer underflow followed (string_length) by a buffer overflow of the cdc_ecm -> ux_host_class_cdc_ecm_node_id array. This may allow one to redirect the code execution flow or introduce a denial of service. The fix has been included in USBX release 6.1.12. Improved mac address string descriptor length validation to check for unexpectedly small values may be used as a workaround.
AnalysisAI
Azure RTOS USBx is a USB host, device, and on-the-go (OTG) embedded stack, fully integrated with Azure RTOS ThreadX and available for all Azure RTOS ThreadX-supported processors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-121. Azure RTOS USBx is a USB host, device, and on-the-go (OTG) embedded stack, fully integrated with Azure RTOS ThreadX and available for all Azure RTOS ThreadX-supported processors. Azure RTOS USBX implementation of host support for USB CDC ECM includes an integer underflow and a buffer overflow in the _ux_host_class_cdc_ecm_mac_address_get function which may be potentially exploited to achieve remote code execution or denial of service. Setting mac address string descriptor length to a 0 or 1 allows an attacker to introduce an integer underflow followed (string_length) by a buffer overflow of the cdc_ecm -> ux_host_class_cdc_ecm_node_id array. This may allow one to redirect the code execution flow or introduce a denial of service. The fix has been included in USBX release 6.1.12. Improved mac address string descriptor length validation to check for unexpectedly small values may be used as a workaround. Affected products include: Eclipse Threadx Usbx.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Threadx Usbx
View allAzure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS Thre
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS Thre
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS Thre
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS Thre
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS Thre
Azure RTOS USBX is a high-performance USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated wit
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. Rated critical severity (CVSS 9.8), this vuln
Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. Rated critical severity (CVSS 9.8), this vuln
The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. W
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today