Sign-up

ID

VAR-201911-0590


CVE

CVE-2019-17211


TITLE

Arm Mbed OS Integer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-011853

DESCRIPTION

An integer overflow was discovered in the CoAP library in Arm Mbed OS 5.14.0. The function sn_coap_builder_calc_needed_packet_data_size_2() is used to calculate the required memory for the CoAP message from the sn_coap_hdr_s data structure. Both returned_byte_count and src_coap_msg_ptr->payload_len are of type uint16_t. When added together, the result returned_byte_count can wrap around the maximum uint16_t value. As a result, insufficient buffer space is allocated for the corresponding CoAP message. ARM Mbed OS is a set of open source embedded operating system dedicated to the Internet of Things of the British ARM company. CoAP library is one of the Constrained Application Protocol (CoAP) libraries. The vulnerability stems from the fact that the network system or product did not correctly verify the input data. No detailed vulnerability details are currently available. A remote attacker can use the specially crafted request to exploit the vulnerability to execute arbitrary code on the system

Trust: 2.7

sources: NVD: CVE-2019-17211 // JVNDB: JVNDB-2019-011853 // CNVD: CNVD-2020-14205 // CNNVD: CNNVD-201911-196

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-14205

AFFECTED PRODUCTS

vendor:armmodel:mbed osscope:eqversion:5.14.0

Trust: 1.4

vendor:mbedmodel:mbedscope:eqversion:5.13.2

Trust: 1.0

vendor:mbedmodel:mbedscope:eqversion:5.14.0

Trust: 1.0

sources: CNVD: CNVD-2020-14205 // JVNDB: JVNDB-2019-011853 // NVD: CVE-2019-17211

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-17211
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-17211
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2020-14205
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201911-196
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2019-17211
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-14205
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-17211
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-17211
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-14205 // JVNDB: JVNDB-2019-011853 // CNNVD: CNNVD-201911-196 // NVD: CVE-2019-17211

PROBLEMTYPE DATA

problemtype:CWE-190

Trust: 1.8

sources: JVNDB: JVNDB-2019-011853 // NVD: CVE-2019-17211

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201911-196

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201911-196

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-011853

PATCH
title:mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.curl:https://github.com/ARMmbed/mbed-os/blob/d0686fd30b4d3d02efdc7e4d0fbf0dfe173543b6/features/frameworks/mbed-coap/source/sn_coap_builder.c#L1090
Trust: 0.8
title:memory access out of range in MbedOS CoAP library builder part #11804url:https://github.com/ARMmbed/mbed-os/issues/11804
Trust: 0.8
title:Patch for ARM Mbed OS CoAP library input verification error vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/204641
Trust: 0.6
title:ARM Mbed OS CoAP library Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=102484
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-14205 // 
            
            
            
            JVNDB: JVNDB-2019-011853 // 
            
            
            
            CNNVD: CNNVD-201911-196

EXTERNAL IDS
db:NVDid:CVE-2019-17211
Trust: 3.0
db:JVNDBid:JVNDB-2019-011853
Trust: 0.8
db:CNVDid:CNVD-2020-14205
Trust: 0.6
db:CNNVDid:CNNVD-201911-196
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-14205 // 
            
            
            
            JVNDB: JVNDB-2019-011853 // 
            
            
            
            CNNVD: CNNVD-201911-196 // 
            
            
            
            NVD: CVE-2019-17211

REFERENCES
url:https://github.com/armmbed/mbed-os/blob/d0686fd30b4d3d02efdc7e4d0fbf0dfe173543b6/features/frameworks/mbed-coap/source/sn_coap_builder.c#l527
Trust: 1.6
url:https://github.com/armmbed/mbed-os/blob/d0686fd30b4d3d02efdc7e4d0fbf0dfe173543b6/features/frameworks/mbed-coap/source/sn_coap_builder.c#l746
Trust: 1.6
url:https://github.com/armmbed/mbed-os/issues/11804
Trust: 1.6
url:https://github.com/armmbed/mbed-os/blob/d0686fd30b4d3d02efdc7e4d0fbf0dfe173543b6/features/frameworks/mbed-coap/source/sn_coap_builder.c#l524
Trust: 1.6
url:https://github.com/armmbed/mbed-os/blob/d0686fd30b4d3d02efdc7e4d0fbf0dfe173543b6/features/frameworks/mbed-coap/source/sn_coap_builder.c#l1090
Trust: 1.6
url:https://github.com/armmbed/mbed-os/blob/d0686fd30b4d3d02efdc7e4d0fbf0dfe173543b6/features/frameworks/mbed-coap/source/sn_coap_builder.c#l710
Trust: 1.6
url:https://github.com/armmbed/mbed-os/blob/d0686fd30b4d3d02efdc7e4d0fbf0dfe173543b6/features/frameworks/mbed-coap/source/sn_coap_builder.c#l355
Trust: 1.6
url:https://github.com/armmbed/mbed-os/blob/d0686fd30b4d3d02efdc7e4d0fbf0dfe173543b6/features/frameworks/mbed-coap/source/sn_coap_builder.c#l718
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2019-17211
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-17211
Trust: 0.8
url:https://github.com/armmbed/mbed-os
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-14205 // 
            
            
            
            JVNDB: JVNDB-2019-011853 // 
            
            
            
            CNNVD: CNNVD-201911-196 // 
            
            
            
            NVD: CVE-2019-17211

SOURCES
db:CNVDid:CNVD-2020-14205
db:JVNDBid:JVNDB-2019-011853
db:CNNVDid:CNNVD-201911-196
db:NVDid:CVE-2019-17211

LAST UPDATE DATE
2024-11-23T22:29:50.714000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-14205date:2020-02-27T00:00:00
db:JVNDBid:JVNDB-2019-011853date:2019-11-19T00:00:00
db:CNNVDid:CNNVD-201911-196date:2020-07-10T00:00:00
db:NVDid:CVE-2019-17211date:2024-11-21T04:31:51.997

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-14205date:2020-02-25T00:00:00
db:JVNDBid:JVNDB-2019-011853date:2019-11-19T00:00:00
db:CNNVDid:CNNVD-201911-196date:2019-11-05T00:00:00
db:NVDid:CVE-2019-17211date:2019-11-05T16:15:10.570