Golioth Pouch BLE GATT Heap-Based Buffer Overflow Vulnerability
Vulnerability
A heap-based buffer overflow vulnerability has been identified in Golioth Pouch version 0.1.0, prior to commit 1b2219a1. The issue arises in the Bluetooth Low Energy (BLE) Generic Attribute Profile (GATT) server certificate handling. The vulnerability occurs because the 'server_cert_write()' function allocates a heap buffer sized according to 'CONFIG_POUCH_SERVER_CERT_MAX_LEN' when the first fragment is received. Subsequent fragments are then appended using 'memcpy()'' without checking if there is enough remaining capacity. This flaw allows an adjacent BLE client to send unauthenticated fragments that, when combined, exceed the allocated buffer size, leading to a heap overflow, a crash, and potential memory corruption.
Impact
Exploitation of this vulnerability causes a heap-based buffer overflow, resulting in a crash and memory corruption, which could allow for unauthorized modification of memory.
Remediation
Users can update to Golioth Pouch version 0.1.0 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.