Zephyr Bluetooth Mesh Out-of-Bound Write Vulnerability in gen_prov_cont Function Allowing Arbitrary Code Execution

A vulnerability exists in the Zephyr Bluetooth Mesh implementation, specifically in the gen_prov_cont function of the pb_adv.c file, in versions through 4.2. This out-of-bounds write vulnerability can lead to arbitrary code execution. In embedded devices running Zephyr, which typically lack robust memory protection, this could cause a crash and result in a denial-of-service condition. Even on devices with some memory protection, the vulnerability could still lead to a crash and denial-of-service.

Impact

Exploitation of this vulnerability can cause an out-of-bounds write, potentially leading to arbitrary code execution. In real-time operating systems like Zephyr, which are commonly used in embedded devices without standard memory protection, this could allow for code execution. However, even on devices with some memory protection, the vulnerability could cause a crash, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a message that includes a user-controlled segment variable. If the segment variable is set to zero, it will cause an integer underflow, which can be exploited to perform an out-of-bounds write. This can be done by manipulating the data length to exceed the receiver buffer's capacity, taking advantage of the flawed validation in the gen_prov_cont function.

Remediation

Users can upgrade to Zephyr versions 4.1 or 4.2, where this vulnerability has been patched.