{"id":2241,"date":"2023-11-07T07:47:14","date_gmt":"2023-11-07T06:47:14","guid":{"rendered":"https:\/\/security.humanativaspa.it\/?p=2241"},"modified":"2025-10-21T09:20:31","modified_gmt":"2025-10-21T09:20:31","slug":"ost2-zephyr-rtos-and-a-bunch-of-cves","status":"publish","type":"post","link":"https:\/\/hnsecurity.it\/it\/blog\/ost2-zephyr-rtos-and-a-bunch-of-cves\/","title":{"rendered":"OST2, Zephyr RTOS, and a bunch of CVEs"},"content":{"rendered":"

“When hackers tell me it’s so hard to find bugs, I tell them to stop looking for hard bugs.”<\/em>
\n— Dave Aitel<\/em><\/p><\/blockquote>\n

Summary<\/h3>\n

The Zephyr Project<\/a> is an open source collaborative effort sponsored by the Linux Foundation. It unites developers and users in building a best-in-class, small, scalable, real-time operating system (RTOS)<\/strong> optimized for resource-constrained IoT devices, across multiple microcontroller architectures.<\/p>\n

I reviewed Zephyr’s source code<\/a> hosted on GitHub and identified multiple security vulnerabilities<\/strong> that may cause memory corruption. Their impacts range from denial of service<\/strong> to potential arbitrary code execution<\/strong>.<\/p>\n

My detailed advisory<\/strong> is available here: https:\/\/github.com\/hnsecurity\/vulns\/blob\/main\/HNS-2023-03-zephyr.txt<\/a><\/p>\n

Background<\/h3>\n

After my recent, less than pleasant coordinated disclosure experiences<\/a>, I became fed up with having to deal with commercial vendors. In my endless endeavor to become a better security researcher, I decided to try to meaningfully contribute to open source projects<\/strong> instead.<\/p>\n

At about the same time, I stumbled upon the\u00a0OpenSecurityTraining2<\/a> (OST2) project that provides world-class, free security training<\/strong>. While going through their awesome (and much recommended!) Vulns1001<\/a> and Vulns1002<\/a> training courses, I discovered the Zephyr Project<\/a>. It immediately piqued my interest and therefore I decided to review its source code.<\/p>\n

During the review, I made heavy use of my Semgrep C\/C++ ruleset<\/a> to identify hotspots in code on which to focus my attention. I also took advantage of this opportunity to improve<\/a> the ruleset.<\/p>\n

Vulnerabilities<\/h3>\n

The vulnerabilities<\/strong> resulting from my source code review are:<\/p>\n

    \n
  • CVE-2023-3725<\/a> – Stack buffer overflow vulnerability in the Zephyr CANbus subsystem<\/li>\n
  • CVE-2023-4257<\/a> – Unchecked user input length in the Zephyr WiFi shell module<\/li>\n
  • CVE-2023-4259<\/a> – Static buffer overflow vulnerabilities in the Zephyr eS-WiFi driver<\/li>\n
  • CVE-2023-4260<\/a> – Off-by-one stack buffer overflow vulnerability in the Zephyr FS subsystem<\/li>\n
  • CVE-2023-4261<\/a> – Unspecified buffer overflow vulnerability in the Zephyr IPC subsystem (unreleased)<\/li>\n
  • CVE-2023-4262<\/a> – Heap buffer overflow vulnerabilities in the Zephyr Mgmt subsystem<\/li>\n
  • CVE-2023-4263<\/a> – Stack buffer overflow vulnerability in the Zephyr IEEE 802.15.4 driver<\/li>\n
  • CVE-2023-4264<\/a> – Static, stack, and heap buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem<\/li>\n
  • CVE-2023-4265<\/a> – Two buffer overflow vulnerabilities in Zephyr USB code<\/li>\n
  • CVE-2023-5139<\/a> – Buffer overflow vulnerability in the Zephyr STM32 Crypto driver<\/li>\n
  • CVE-2023-5184<\/a> – Signed to unsigned conversion errors and stack buffer overflow vulnerabilities in the Zephyr IPM driver<\/li>\n
  • CVE-2023-5753<\/a> – Static and heap buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem<\/li>\n<\/ul>\n

    After all, what better way to celebrate 20 years since my first CVE<\/strong> than with a bunch of brand new CVEs? \ud83d\ude09<\/p>\n

    \n

    I've just noticed today that it's been #20years<\/a> since I've got my first #CVE<\/a> (actually it was a "CAN" back then). https:\/\/t.co\/KMLUqZBdeV<\/a><\/p>\n

    The exploit is #25 on @exploitdb<\/a> \ud83d\ude1c\u200bhttps:\/\/t.co\/FBsK25dI5H<\/a><\/p>\n

    Time flies when you're having fun!#vulnerability<\/a> #research<\/a> #exploitation<\/a><\/p>\n

    — raptor@infosec.exchange (@0xdea) August 14, 2023<\/a><\/p><\/blockquote>\n