PT-2023-18895 · Ciq Api · Ciq Api

Published

2023-05-23

Updated

2023-05-30

CVE-2023-23300

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions CIQ API versions 3.0.0 through 4.1.7

Description The issue concerns the Toybox.Cryptography.Cipher.initialize API method, which does not validate its parameters. This lack of validation can lead to buffer overflows when copying data, potentially allowing a malicious application to hijack the execution of the device's firmware by calling the API method with specially crafted parameters.

Recommendations For CIQ API versions 3.0.0 through 4.1.7, consider disabling the Toybox.Cryptography.Cipher.initialize API method until a patch is available to prevent potential buffer overflows and hijacking of the device's firmware execution.

Exploit

Fix

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-120

Related Identifiers

CVE-2023-23300

Affected Products

Ciq Api

PT-2023-18895 · Ciq Api · Ciq Api

CVE-2023-23300

Weakness Enumeration

Related Identifiers

Affected Products

References · 5