Eclipse USBX Out-of-Bounds Read Vulnerability in HID Report Descriptor Parsing
Vulnerability
A potential out-of-bounds read vulnerability has been identified in the USBX USB support module for Eclipse Foundation ThreadX, prior to version 6.4.3. The issue arises in the function '_ux_host_class_hid_report_descriptor_get()', which improperly parses HID report descriptors from USB HID devices. The vulnerability is caused by inadequate bounds checking and a potential integer underflow, allowing for out-of-bounds memory reads.
Impact
Exploitation of this vulnerability leads to out-of-bounds memory reads, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition.
Reproduction
The vulnerability can be reproduced by using a version of USBX prior to 6.4.3 and connecting a USB HID device that has a report descriptor capable of triggering the out-of-bounds read. The '_ux_host_class_hid_report_descriptor_get()' function will attempt to parse the descriptor, during which the insufficient bounds check and integer underflow can be exploited, causing an out-of-bounds read.
Remediation
Users are advised to update to USBX version 6.4.3 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.