Eclipse USBX Out-of-Bounds Read Vulnerability in Audio Device Descriptor Parsing
Vulnerability
A potential out-of-bounds read vulnerability has been identified in the USBX USB support module for Eclipse Foundation ThreadX, prior to version 6.4.3. The issue arises in the function '_ux_host_class_audio_device_type_get()', which parses USB audio device descriptors. The vulnerability allows for reading beyond the intended buffer limit, which could lead to host crashes or unauthorized memory access. This occurs when the function incorrectly processes a descriptor, potentially crafted by a malicious USB device, causing the application to read past the end of the descriptor buffer.
Impact
Exploitation of this vulnerability could result in a host crash or leakage of adjacent memory, according to the advisory.
Reproduction
The vulnerability can be reproduced by connecting a malicious USB device that presents a crafted audio descriptor. The descriptor should include a high value in the byte indicating the number of streaming interface numbers, while actually providing fewer bytes than required. This will trigger the out-of-bounds read in the '_ux_host_class_audio_device_type_get()' function.
Remediation
Users are advised to update to USBX version 6.4.3 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.