Out-of-bounds write in ConnMan

#VU67397 Out-of-bounds write in ConnMan

Published: 2022-09-15

Vulnerability identifier: #VU67397

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-32292

CWE-ID: CWE-787

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
ConnMan
Universal components / Libraries / Libraries used by multiple products

Vendor: kernel.org

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error within the received_data method. A remote attacker on the local network can trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ConnMan: 1.0 - 1.41

CPE

cpe:2.3:a:kernel_org:connman:1.41:*:*:*:*:*:*:*

External links
http://bugzilla.suse.com/show_bug.cgi?id=1200189
http://lore.kernel.org/connman/20220801080043.4861-5-wagi@monom.org/
http://www.zerodayinitiative.com/advisories/ZDI-22-1187/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Debian update for connman

Multiple vulnerabilities in ConnMan