microsoft azure-rtos-usbx CVE-2023-48698 is a vulnerability in Microsoft Azure Rtos Usbx
Published on December 5, 2023

Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. An attacker can cause remote code execution due to expired pointer dereference vulnerabilities in Azure RTOS USBX. The affected components include functions/processes in host stack and host classes, related to device linked classes, GSER and HID in RTOS v6.2.1 and below. The fixes have been included in USBX release 6.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

NVD

Vulnerability Analysis

CVE-2023-48698 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Improper Check for Unusual or Exceptional Conditions

The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software.

What is a Dangling pointer Vulnerability?

The program dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. When a program releases memory, but it maintains a pointer to that memory, then the memory might be re-allocated at a later time. If the original pointer is accessed to read or write data, then this could cause the program to read or modify data that is in use by a different function or process. Depending on how the newly-allocated memory is used, this could lead to a denial of service, information exposure, or code execution.

CVE-2023-48698 has been classified to as a Dangling pointer vulnerability or weakness.


Products Associated with CVE-2023-48698

You can be notified by stack.watch whenever vulnerabilities like CVE-2023-48698 are published in these products:

Microsoft Azure Rtos Usbx
 

What versions of Azure Rtos Usbx are vulnerable to CVE-2023-48698?