nvd-json-data-feeds/CVE-2020/CVE-2020-40xx/CVE-2020-4060.json

{
  "id": "CVE-2020-4060",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2020-06-22T16:15:11.557",
  "lastModified": "2020-07-01T14:31:51.257",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "In LoRa Basics Station before 2.0.4, there is a Use After Free vulnerability that leads to memory corruption. This bug is triggered on 32-bit machines when the CUPS server responds with a message (https://doc.sm.tc/station/cupsproto.html#http-post-response) where the signature length is larger than 2 GByte (never happens in practice), or the response is crafted specifically to trigger this issue (i.e. the length signature field indicates a value larger than (2**31)-1 although the signature actually does not contain that much data). In such a scenario, on 32 bit machines, Basic Station would execute a code path, where a piece of memory is accessed after it has been freed, causing the process to crash and restarted again. The CUPS transaction is typically mutually authenticated over TLS. Therefore, in order to trigger this vulnerability, the attacker would have to gain access to the CUPS server first. If the user chose to operate without authentication over TLS but yet is concerned about this vulnerability, one possible workaround is to enable TLS authentication. This has been fixed in 2.0.4."
    },
    {
      "lang": "es",
      "value": "En LoRa Basics Station versiones anteriores a 2.0.4, se presenta una vulnerabilidad de Uso de la Memoria Previamente Liberada que conlleva a una corrupci\u00f3n de la memoria. Este error es desencadenado en m\u00e1quinas de 32 bits cuando el servidor CUPS responde con un mensaje (https://doc.sm.tc/station/cupsproto.html#http-post-response) donde la longitud de la firma es mayor que 2 GByte (nunca sucede en la pr\u00e1ctica), o la respuesta est\u00e1 dise\u00f1ada espec\u00edficamente para desencadenar este problema (es decir, el campo length signature indica un valor mayor que (2**31)-1 aunque la firma en realidad no contiene tantos datos). En tal escenario, en m\u00e1quinas de 32 bits, Basic Station ejecutar\u00eda una ruta de c\u00f3digo, donde se accede a una porci\u00f3n de memoria despu\u00e9s de que ha sido liberada, lo que hace que el proceso se bloquee y se reinicie nuevamente. La transacci\u00f3n de CUPS generalmente se autentica mutuamente por medio de TLS. Por lo tanto, para desencadenar esta vulnerabilidad, el atacante primero tendr\u00eda que conseguir acceso al servidor CUPS. Si el usuario elige operar sin autenticaci\u00f3n por medio de TLS pero est\u00e1 preocupado por esta vulnerabilidad, una soluci\u00f3n posible es habilitar la autenticaci\u00f3n TLS. Esto se ha corregido en la versi\u00f3n 2.0.4"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "CHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "LOW",
          "baseScore": 5.0,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 1.4
      },
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "LOW",
          "baseScore": 4.1,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 1.4
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "SINGLE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.0
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:semtech:lora_basics_station:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "2.0.4",
              "matchCriteriaId": "BF29D2B9-752D-41CA-BF80-3AFEC3095467"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/lorabasics/basicstation/security/advisories/GHSA-v9ph-r496-4m2j",
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ]
    }
  ]
}