CVE-2024-48986

Vulnerability

An issue exists in Mbed OS version 6.16.0, specifically in its HCI parsing software within the BLE host stack (file hci_evt.c). The parser dynamically determines the length of certain HCI packets by reading a byte from the packet header. For certain events, a callback is triggered that allocates a buffer based on a lookup table indexed by event type. However, the subsequent write operation uses the length specified in the packet header rather than the allocated buffer size, leading to a heap-based buffer overflow [1].

Exploitation

An attacker needs the ability to send crafted HCI packets to the target device over a BLE connection. By supplying a packet with a header length field that exceeds the buffer size determined by the event type lookup table, the attacker can trigger a buffer overflow during the write operation. No authentication is required, as HCI events are generally processed before any security checks. The attack is trivial to execute [1].

Impact

Successful exploitation results in a denial of service condition, as the overflow can corrupt heap metadata or cause a crash. The official description states that the overflow is not certain to suffice to bring the system down, but it can cause instability. The vulnerability is unlikely to be exploited for arbitrary code execution because the overflow occurs in a dynamically allocated buffer, making reliable exploitation difficult [1].

Mitigation

A fix has been implemented in pull request #385 to the mbed-ce/mbed-os repository, which was created on November 19, 2024. The fix addresses the issue by ignoring messages with overlong headers and using the event length to determine allocation size [2]. Users are advised to apply this patch or upgrade to a version that includes the fix once released. No workaround is documented.