PT-2021-20473 · Zephyr · Zephyr

Ceolin

Published

2021-10-05

Updated

2021-10-13

CVE-2021-3436

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions: Zephyr versions 1.14.2 and later Zephyr versions 2.4.0 and later Zephyr versions 2.5.0 and later

Description: The issue allows overwriting an existing bond during the keys distribution phase when the identity address of the bond is known. This is due to the use of multiple resources with duplicate identifiers.

Recommendations: For Zephyr versions 1.14.2 and later, consider disabling the bond overwrite functionality until a patch is available. For Zephyr versions 2.4.0 and later, restrict access to the keys distribution phase to minimize the risk of exploitation. For Zephyr versions 2.5.0 and later, avoid using the identity address of the bond in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-694

Related Identifiers

CVE-2021-3436

GHSA-J76F-35MC-4H63

Affected Products

Zephyr

PT-2021-20473 · Zephyr · Zephyr

CVE-2021-3436

Weakness Enumeration

Related Identifiers

Affected Products

References · 5