CVE-2019-18614

Name of the Vulnerable Software and Affected Versions: Cypress CYW20735 evaluation board (affected versions not specified) WICED Studio versions 6.2 through 6.4

Description: The issue is caused by a buffer overflow that occurs when data exceeds 384 bytes. This happens because the maximum BLOC buffer size for sending and receiving data is set to 384 bytes, while other configurations remain at the usual size of 1092 bytes. An attacker can trigger the overflow by sending packets over the air or as an unprivileged local user. The overflow can be triggered over the air by sending a minimal proof of concept, such as "l2ping -s 600", to the target address prior to any pairing. Locally, the buffer overflow is immediately triggered by opening an ACL or SCO connection to a headset. This is due to the BT ACL HOST TO DEVICE DEFAULT SIZE and BT ACL DEVICE TO HOST DEFAULT SIZE being set to 384 in WICED Studio 6.2 and 6.4.

Recommendations: For WICED Studio versions 6.2 and 6.4, consider increasing the BT ACL HOST TO DEVICE DEFAULT SIZE and BT ACL DEVICE TO HOST DEFAULT SIZE to a value greater than 384 to prevent the buffer overflow. As a temporary workaround, restrict access to ACL and SCO connections to minimize the risk of exploitation. Avoid using the l2ping command with a size greater than 384 bytes until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.