CVE-2019-11516

An issue was discovered in the Bluetooth component of the Cypress (formerly owned by Broadcom) Wireless IoT codebase. Extended Inquiry Responses (EIRs) are improperly handled, which causes a heap-based buffer overflow during device inquiry. This overflow can be used to overwrite existing functions with arbitrary code. The Reserved for Future Use (RFU) bits are not discarded by eir_handleRx(), and are included in an EIR's length. Therefore, one can exceed the expected 240 bytes, which leads to a heap-based buffer overflow in eir_getReceivedEIR() called by bthci_event_SendInquiryResultEvent(). In order to exploit this bug, an attacker must repeatedly connect to the victim's device in a short amount of time from different source addresses. This will cause the victim's Bluetooth stack to resolve the device names and therefore allocate buffers with attacker-controlled data. Due to the heap corruption, the name will be eventually written to an attacker-controlled location, leading to a write-what-where condition.

CVSS v3 8.1 HIGH
CVSS v2.0 6.8 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://community.cypress.com/thread/53681
https://source.android.com/security/bulletin/2019-08-01	Third Party Advisory
https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-android-os-could-allow-for-arbitrary-code-execution_2019-078/	Third Party Advisory
https://www.techrepublic.com/article/android-security-bulletin-august-2019-what-you-need-to-know/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-02-05 17:15

Updated : 2023-12-10 13:13

NVD link : CVE-2019-11516

Mitre link : CVE-2019-11516

CVE.ORG link : CVE-2019-11516

JSON object : View

Products Affected

google

android

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2019-11516", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2020-02-05T17:15:10.240", "references": [{"url": "https://community.cypress.com/thread/53681", "source": "cve@mitre.org"}, {"url": "https://source.android.com/security/bulletin/2019-08-01", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-android-os-could-allow-for-arbitrary-code-execution_2019-078/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.techrepublic.com/article/android-security-bulletin-august-2019-what-you-need-to-know/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Bluetooth component of the Cypress (formerly owned by Broadcom) Wireless IoT codebase. Extended Inquiry Responses (EIRs) are improperly handled, which causes a heap-based buffer overflow during device inquiry. This overflow can be used to overwrite existing functions with arbitrary code. The Reserved for Future Use (RFU) bits are not discarded by eir_handleRx(), and are included in an EIR's length. Therefore, one can exceed the expected 240 bytes, which leads to a heap-based buffer overflow in eir_getReceivedEIR() called by bthci_event_SendInquiryResultEvent(). In order to exploit this bug, an attacker must repeatedly connect to the victim's device in a short amount of time from different source addresses. This will cause the victim's Bluetooth stack to resolve the device names and therefore allocate buffers with attacker-controlled data. Due to the heap corruption, the name will be eventually written to an attacker-controlled location, leading to a write-what-where condition."}, {"lang": "es", "value": "Se detect\u00f3 un problema en el componente Bluetooth de la base de c\u00f3digo Wireless IoT de Cypress (anteriormente propiedad de Broadcom). Las Respuestas de Consulta Extendida (EIRs) se manejan inapropiadamente, lo que causa un desbordamiento del b\u00fafer en la regi\u00f3n heap de la memoria durante una consulta del dispositivo. Este desbordamiento puede ser utilizado para sobrescribir funciones existentes con c\u00f3digo arbitrario. Los bits Reservados para Uso Futuro (RFU) no son descartados por la funci\u00f3n eir_handleRx(), y son incluidos en una longitud de una EIR. Por lo tanto, uno puede exceder los 240 bytes esperados, lo que conlleva a un desbordamiento del b\u00fafer en la regi\u00f3n heap de la memoria en la funci\u00f3n eir_getReceivedEIR() llamada por la funci\u00f3n bthci_event_SendInquiryResultEvent(). A fin de explotar este error, un atacante debe conectarse repetidamente al dispositivo de la v\u00edctima en un corto per\u00edodo de tiempo desde diferentes direcciones de origen. Esto causar\u00e1 que la pila del Bluetooth de la v\u00edctima resuelva los nombres de los dispositivos y, por lo tanto, asigne buffers con datos controlados por el atacante. Debido a la corrupci\u00f3n de la pila, el nombre eventualmente ser\u00e1 escrito en una ubicaci\u00f3n controlada por el atacante, lo que conlleva a una condici\u00f3n write-what-where."}], "lastModified": "2020-04-13T15:15:11.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}