CVE-2023-48692

Azure RTOS NetX Duo is a TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. An attacker can cause remote code execution due to memory overflow vulnerabilities in Azure RTOS NETX Duo. The affected components include processes/functions related to icmp, tcp, snmp, dhcp, nat and ftp in RTOS v6.2.1 and below. The fixes have been included in NetX Duo release 6.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/azure-rtos/netxduo/security/advisories/GHSA-m2rx-243p-9w64	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:microsoft:azure_rtos_netx_duo:*:*:*:*:*:*:*:*

History

08 Dec 2023, 19:20

Type	Values Removed	Values Added
References	~~() https://github.com/azure-rtos/netxduo/security/advisories/GHSA-m2rx-243p-9w64 -~~	() https://github.com/azure-rtos/netxduo/security/advisories/GHSA-m2rx-243p-9w64 - Third Party Advisory
CPE		cpe:2.3:o:microsoft:azure_rtos_netx_duo::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Microsoft Microsoft azure Rtos Netx Duo

05 Dec 2023, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-05 01:15

Updated : 2023-12-10 15:26

NVD link : CVE-2023-48692

Mitre link : CVE-2023-48692

CVE.ORG link : CVE-2023-48692

JSON object : View

Products Affected

microsoft

azure_rtos_netx_duo

CWE

CWE-787

Out-of-bounds Write

CWE-825

Expired Pointer Dereference

{"id": "CVE-2023-48692", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.2}]}, "published": "2023-12-05T01:15:07.957", "references": [{"url": "https://github.com/azure-rtos/netxduo/security/advisories/GHSA-m2rx-243p-9w64", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-787"}, {"lang": "en", "value": "CWE-825"}]}], "descriptions": [{"lang": "en", "value": "Azure RTOS NetX Duo is a TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. An attacker can cause remote code execution due to memory overflow vulnerabilities in Azure RTOS NETX Duo. The affected components include processes/functions related to icmp, tcp, snmp, dhcp, nat and ftp in RTOS v6.2.1 and below. The fixes have been included in NetX Duo release 6.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Azure RTOS NetX Duo es una pila de red TCP/IP dise\u00f1ada espec\u00edficamente para aplicaciones de IoT y en tiempo real profundamente integradas. Un atacante puede provocar la ejecuci\u00f3n remota de c\u00f3digo debido a vulnerabilidades de desbordamiento de memoria en Azure RTOS NETX Duo. Los componentes afectados incluyen procesos/funciones relacionados con icmp, tcp, snmp, dhcp, nat y ftp en RTOS v6.2.1 y versiones anteriores. Las correcciones se incluyeron en la versi\u00f3n 6.3.0 de NetX Duo. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2023-12-08T19:20:21.023", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:azure_rtos_netx_duo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "401B08CC-CEC4-458C-B00D-5083B8DDC38A", "versionEndExcluding": "6.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}