CVE-2020-12887 - Vulnerability Details

Vendors	Products
Arm	Mbed-coap Mbed Os

Link	Providers
https://github.com/ARMmbed/mbed-coap/pull/116
https://github.com/ARMmbed/mbed-os/issues/12930
https://github.com/ARMmbed/mbed-os/issues/12957
https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options present in the input packet. Each option number is calculated as a sum of the previous option number and a delta of the current option. The delta and the previous option number are expressed as unsigned 16-bit integers. Due to lack of overflow detection, it is possible to craft a packet that wraps the option number around and results in the same option number being processed again in a single packet. Certain options allocate memory by calling a memory allocation function. In the cases of COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY, and COAP_OPTION_ETAG, there is no check on whether memory has already been allocated, which in conjunction with the option number integer overflow may lead to multiple assignments of allocated memory to a single pointer. This has been demonstrated to lead to memory leak by buffer orphaning. As a result, the memory is never freed."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-18T18:24:47", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/ARMmbed/mbed-os/issues/12957"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ARMmbed/mbed-os/issues/12930"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ARMmbed/mbed-coap/pull/116"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-12887", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options present in the input packet. Each option number is calculated as a sum of the previous option number and a delta of the current option. The delta and the previous option number are expressed as unsigned 16-bit integers. Due to lack of overflow detection, it is possible to craft a packet that wraps the option number around and results in the same option number being processed again in a single packet. Certain options allocate memory by calling a memory allocation function. In the cases of COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY, and COAP_OPTION_ETAG, there is no check on whether memory has already been allocated, which in conjunction with the option number integer overflow may lead to multiple assignments of allocated memory to a single pointer. This has been demonstrated to lead to memory leak by buffer orphaning. As a result, the memory is never freed."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ARMmbed/mbed-os/issues/12957", "refsource": "MISC", "url": "https://github.com/ARMmbed/mbed-os/issues/12957"}, {"name": "https://github.com/ARMmbed/mbed-os/issues/12930", "refsource": "MISC", "url": "https://github.com/ARMmbed/mbed-os/issues/12930"}, {"name": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93", "refsource": "MISC", "url": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93"}, {"name": "https://github.com/ARMmbed/mbed-coap/pull/116", "refsource": "CONFIRM", "url": "https://github.com/ARMmbed/mbed-coap/pull/116"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:11:18.832Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ARMmbed/mbed-os/issues/12957"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ARMmbed/mbed-os/issues/12930"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ARMmbed/mbed-coap/pull/116"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-12887", "datePublished": "2020-06-18T18:24:47", "dateReserved": "2020-05-15T00:00:00", "dateUpdated": "2024-08-04T12:11:18.832Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arm:mbed-coap:5.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "514FAB1A-AD34-4295-BD7B-E417F85F16FD", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:arm:mbed_os:5.15.3:*:*:*:*:*:*:*", "matchCriteriaId": "B314FCEF-12B7-4510-AC5E-12D3574E3E68", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 when using the Arm mbed-coap library 5.1.5. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses the CoAP option number field of all options present in the input packet. Each option number is calculated as a sum of the previous option number and a delta of the current option. The delta and the previous option number are expressed as unsigned 16-bit integers. Due to lack of overflow detection, it is possible to craft a packet that wraps the option number around and results in the same option number being processed again in a single packet. Certain options allocate memory by calling a memory allocation function. In the cases of COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY, and COAP_OPTION_ETAG, there is no check on whether memory has already been allocated, which in conjunction with the option number integer overflow may lead to multiple assignments of allocated memory to a single pointer. This has been demonstrated to lead to memory leak by buffer orphaning. As a result, the memory is never freed."}, {"lang": "es", "value": "Se detectaron p\u00e9rdidas de la memoria en la biblioteca CoAP en Arm Mbed OS versi\u00f3n 5.15.3 cuando se usa la biblioteca Arm mbed-coap versi\u00f3n 5.1.5. El analizador CoAP es responsable de analizar los paquetes CoAP recibidos. La funci\u00f3n sn_coap_parser_options_parse() analiza el campo CoAP option number de todas las opciones presentes en el paquete de entrada. Cada n\u00famero de opci\u00f3n es calculado como una suma del n\u00famero de opci\u00f3n previo y un delta de la opci\u00f3n actual. El delta y el n\u00famero de opci\u00f3n anterior son expresados como enteros de 16 bits sin signo. Debido a la falta de detecci\u00f3n de desbordamiento, es posible crear un paquete que contenga el n\u00famero de opci\u00f3n y resulte en que el mismo n\u00famero de opci\u00f3n sea procesado nuevamente en un solo paquete. Determinadas opciones asignan memoria llamando a una funci\u00f3n de asignaci\u00f3n de memoria. En los casos de COAP_OPTION_URI_QUERY, COAP_OPTION_URI_PATH, COAP_OPTION_LOCATION_QUERY y COAP_OPTION_ETAG, no se comprueba si ya se ha asignado memoria, lo que en conjunto con el desbordamiento de enteros del n\u00famero de opci\u00f3n puede conllevar a m\u00faltiples asignaciones de memoria asignada a un \u00fanico puntero. Se ha demostrado que esto conlleva a una p\u00e9rdida de memoria mediante un hu\u00e9rfano de b\u00fafer. Como resultado, la memoria nunca es liberada"}], "id": "CVE-2020-12887", "lastModified": "2024-11-21T05:00:29.737", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-18T19:15:11.783", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/ARMmbed/mbed-coap/pull/116"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/ARMmbed/mbed-os/issues/12930"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/ARMmbed/mbed-os/issues/12957"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/ARMmbed/mbed-coap/pull/116"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/ARMmbed/mbed-os/issues/12930"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/ARMmbed/mbed-os/issues/12957"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mjurczak/mbed-coap/commit/4647a68e364401e81dbd370728127d844f221d93"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object