CVE-2020-27892

Name of the Vulnerable Software and Affected Versions Texas Instruments CC2538 devices with Z-Stack version 3.0.1

Description The issue arises from the improper processing of certain ZCL messages by the Zigbee protocol implementation. Specifically, it fails to handle a ZCL Discover Commands Received Response message or a ZCL Discover Commands Generated Response message correctly, leading to a crash in the zclParseInDiscCmdsRspCmd() function.

Recommendations For Texas Instruments CC2538 devices with Z-Stack version 3.0.1, as a temporary workaround, consider disabling the zclParseInDiscCmdsRspCmd() function until a patch is available. Restrict access to ZCL Discover Commands to minimize the risk of exploitation. Avoid using the ZCL Discover Commands feature in the affected devices until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.