CVE-2020-10071
Insufficient publish message length validation in MQTT
In short
A flaw in Zephyr's MQTT message handling fails to properly validate the length of published messages, allowing an attacker to send a specially crafted message that overflows a buffer and potentially execute arbitrary code on the device.
Technical detail
The MQTT parser in Zephyr insufficiently validates the length field of PUBLISH messages (CWE-120 buffer overflow, CWE-129 improper validation), enabling a remote attacker to trigger a stack or heap overflow. Exploitation requires network access to the MQTT interface and can result in arbitrary code execution with system privileges.
Summary generated and translated by AI from the official description.
The Zephyr MQTT parsing code performs insufficient checking of the length field on publish messages, allowing a buffer overflow and potentially remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
zephyrproject-rtos · zephyrWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://docs.zephyrproject.org/latest/security/vulnerabilities.html#cve-2020-10071https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/989c4713ba429aa5105fe476b4d629718f3e6082https://research.nccgroup.com/2020/05/26/research-report-zephyr-and-mcuboot-security-assessmenthttps://zephyrprojectsec.atlassian.net/browse/ZEPSEC-86