CVE-2024-53980

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-53980
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53980.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-53980
Aliases
  • GHSA-m75q-8vj8-wppw
Published
2024-11-29T18:56:57.584Z
Modified
2026-04-10T05:18:26.685254Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Spoofed length byte traps CC2538 in endless loop
Details

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A malicious actor can send a IEEE 802.15.4 packet with spoofed length byte and optionally spoofed FCS, which eventually results into an endless loop on a CC2538 as receiver. Before PR #20998, the receiver would check for the location of the CRC bit using the packet length byte by considering all 8 bits, instead of discarding bit 7, which is what the radio does. This then results into reading outside of the RX FIFO. Although it prints an error when attempting to read outside of the RX FIFO, it will continue doing this. This may lead to a discrepancy in the CRC check according to the firmware and the radio. If the CPU judges the CRC as correct and the radio is set to AUTO_ACK, when the packet requests and acknowledgment the CPU will go into the state CC2538_STATE_TX_ACK. However, if the radio judged the CRC as incorrect, it will not send an acknowledgment, and thus the TXACKDONE event will not fire. It will then never return to the state CC2538_STATE_READY since the baseband processing is still disabled. Then the CPU will be in an endless loop. Since setting to idle is not forced, it won't do it if the radio's state is not CC2538_STATE_READY. A fix has not yet been made.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53980.json",
    "cwe_ids": [
        "CWE-835"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/riot-os/riot

Affected ranges

Type
GIT
Repo
https://github.com/riot-os/riot
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
e3c02f56015c4b9061dc98d70205048658ed5ad9
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2024.07"
        }
    ]
}

Affected versions

2013.*
2013.08
2014.*
2014.01
2014.05
2014.12
2015.*
2015.09-RC1
2015.12-RC1
2015.12-devel
2016.*
2016.03-devel
2016.04-RC1
2016.07-RC1
2016.07-RC2
2016.07-devel
2016.10-RC1
2016.10-devel
2017.*
2017.01-RC1
2017.01-devel
2017.04-RC1
2017.04-devel
2017.07-RC1
2017.07-devel
2017.10-RC1
2017.10-devel
2018.*
2018.01-RC1
2018.01-devel
2018.04-RC1
2018.04-devel
2018.07-RC1
2018.07-devel
2018.10-RC1
2018.10-devel
2019.*
2019.01-RC1
2019.01-devel
2019.04-RC1
2019.04-devel
2019.07-RC1
2019.07-devel
2019.10-RC1
2019.10-devel
2020.*
2020.01-RC1
2020.01-devel
2020.04-RC1
2020.04-devel
2020.07-RC1
2020.07-devel
2020.10-RC1
2020.10-devel
2021.*
2021.01-RC1
2021.01-devel
2021.04-RC1
2021.04-devel
2021.07-RC1
2021.07-devel
2021.10-RC1
2021.10-devel
2022.*
2022.01-RC1
2022.01-devel
2022.04-RC1
2022.04-devel
2022.07-RC1
2022.07-devel
2022.10-RC1
2022.10-devel
2023.*
2023.01-RC1
2023.01-devel
2023.04-RC1
2023.04-devel
2023.07-RC1
2023.07-devel
2023.10-RC1
2023.10-devel
2024.*
2024.01-RC1
2024.01-devel
2024.04-RC1
2024.04-devel
2024.07-devel

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53980.json"