Arduino-ESP32 Memory Corruption Vulnerability in NetBIOS Handling Allows Remote Attack

A memory corruption vulnerability has been identified in the Arduino core for ESP32 microcontrollers, prior to version 3.3.8. This issue arises in the NetBIOS Name Service (NBNS) packet processing, where the parser improperly validates the 'name_len' field of incoming requests. When NetBIOS is activated, the device listens on UDP port 137 and accepts untrusted NBNS packets from the local network. The lack of proper validation allows for exploitation, leading to memory corruption that could cause a crash or reset of the device. In some cases, depending on various factors, this vulnerability might be exploitable for code execution.

Impact

Exploitation of this vulnerability causes memory corruption, which can lead to a crash or reset of the device. However, under certain conditions, it may also allow for unauthorized control of the device's execution flow.

Reproduction

The vulnerability can be reproduced by enabling NetBIOS on an affected device, which opens UDP port 137 to accept NBNS requests from the local network. Once NetBIOS is active, a crafted UDP packet can be sent that exploits the improper validation of the 'name_len' field, causing an out-of-bounds read and a stack buffer overflow. This exploitation can be validated using an AddressSanitizer, which will show the memory safety violations caused by the vulnerable packet handling.

Remediation

Users are advised to update to version 3.3.8 or later, where this vulnerability has been fixed. Additionally, when implementing NetBIOS, ensure that any incoming packets are properly validated to reject oversized 'name_len' values that could lead to memory corruption.