Apache NuttX RTOS Bluetooth Stack HCI and UART Buffer Overflow Vulnerability Allowing Denial-of-Service and Arbitrary Code Execution

A vulnerability has been identified in the Bluetooth stack of Apache NuttX RTOS, specifically in the HCI and UART components. This vulnerability arises from improper restriction of operations within the bounds of a memory buffer, leading to a stack-based buffer overflow. It can be exploited by sending maliciously crafted packets, potentially causing a system crash, denial-of-service, or allowing arbitrary code execution. This issue affects Apache NuttX versions from 7.25 prior to 12.9.0.

Impact

Exploitation of this vulnerability can cause a system crash, leading to a denial-of-service condition, or allow for arbitrary code execution on the affected system.

Reproduction

The vulnerability can be reproduced by sending maliciously crafted packets over Bluetooth to a device running an affected version of Apache NuttX RTOS. This can be done using a Bluetooth-enabled device or tool that allows for the creation and transmission of custom Bluetooth packets. Once the packets are received, the improper buffer length verification can lead to a stack-based buffer overflow, causing a crash or allowing for code execution.

Remediation

Users are advised to upgrade to Apache NuttX version 12.9.0, which addresses these vulnerabilities by fixing the underlying implementation issues.