CVE-2023-48691

Azure RTOS NetX Duo is a TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. An attacker can cause an out-of-bounds write in Azure RTOS NETX Duo, that could lead to remote code execution. The affected components include process related to IGMP protocol in RTOS v6.2.1 and below. The fix has been included in NetX Duo release 6.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/azure-rtos/netxduo/security/advisories/GHSA-fwmg-rj6g-w99p	Third Party Advisory
https://github.com/azure-rtos/netxduo/security/advisories/GHSA-fwmg-rj6g-w99p	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:microsoft:azure_rtos_netx_duo:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:32

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 8.1
References	~~() https://github.com/azure-rtos/netxduo/security/advisories/GHSA-fwmg-rj6g-w99p - Third Party Advisory~~	() https://github.com/azure-rtos/netxduo/security/advisories/GHSA-fwmg-rj6g-w99p - Third Party Advisory

08 Dec 2023, 19:17

Type	Values Removed	Values Added
CPE		cpe:2.3:o:microsoft:azure_rtos_netx_duo::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Microsoft azure Rtos Netx Duo Microsoft
References	~~() https://github.com/azure-rtos/netxduo/security/advisories/GHSA-fwmg-rj6g-w99p -~~	() https://github.com/azure-rtos/netxduo/security/advisories/GHSA-fwmg-rj6g-w99p - Third Party Advisory

05 Dec 2023, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-05 01:15

Updated : 2024-11-21 08:32

NVD link : CVE-2023-48691

Mitre link : CVE-2023-48691

CVE.ORG link : CVE-2023-48691

JSON object : View

Products Affected

microsoft

azure_rtos_netx_duo

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2023-48691", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-12-05T01:15:07.747", "references": [{"url": "https://github.com/azure-rtos/netxduo/security/advisories/GHSA-fwmg-rj6g-w99p", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/azure-rtos/netxduo/security/advisories/GHSA-fwmg-rj6g-w99p", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Azure RTOS NetX Duo is a TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. An attacker can cause an out-of-bounds write in Azure RTOS NETX Duo, that could lead to remote code execution. The affected components include process related to IGMP protocol in RTOS v6.2.1 and below. The fix has been included in NetX Duo release 6.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Azure RTOS NetX Duo es una pila de red TCP/IP dise\u00f1ada espec\u00edficamente para aplicaciones de IoT y en tiempo real profundamente integradas. Un atacante puede provocar una escritura fuera de los l\u00edmites en Azure RTOS NETX Duo, lo que podr\u00eda provocar la ejecuci\u00f3n remota de c\u00f3digo. Los componentes afectados incluyen procesos relacionados con el protocolo IGMP en RTOS v6.2.1 y versiones anteriores. La soluci\u00f3n se incluy\u00f3 en la versi\u00f3n 6.3.0 de NetX Duo. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-11-21T08:32:15.980", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:azure_rtos_netx_duo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "401B08CC-CEC4-458C-B00D-5083B8DDC38A", "versionEndExcluding": "6.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}