Teradici pcoip firmware 4.1.2 upgrade path driver#
Uncontrolled search path element vulnerability in Samsung Android USB Driver windows installer program prior to version 1.7.50 allows attacker to execute arbitrary code.Įms_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free. This fix has been included in USBX release 6.1.10. The USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. For a `bNbPorts` value of 255, the implementation of `ux_host_class_hub_descriptor_get` function will modify the contents of `hub` -> `ux_host_class_hub_device` -> `ux_device_hub_tt` array violating the end boundary by 255 - `UX_MAX_TT` items.
In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with `bNbPorts` set to a value greater than `UX_MAX_TT` which defaults to 8. As a workaround, align request and buffer size to assure that buffer boundaries are respected.Īzure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. A fix for this issue has been included in USBX release 6.1.11.
Teradici pcoip firmware 4.1.2 upgrade path code#
Furthermore in case an attacker has some control over the read flash memory, this may result in execution of arbitrary code and platform compromise. In example `ux_slave_class_dfu_read` may read 4096 bytes (or more up to 65k) to a 256 byte buffer ultimately resulting in an overflow.
When an attacker issues the `UX_SLAVE_CLASS_DFU_COMMAND_UPLOAD` control transfer request with `wLenght` larger than the buffer size (`UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH`, 256 bytes), depending on the actual implementation of `dfu -> ux_slave_class_dfu_read`, a buffer overflow may occur. The implementation of `ux_device_class_dfu_control_request` function does not assure that a buffer overflow will not occur during handling of the DFU UPLOAD command. In particular cases this may allow an attacker to bypass security features or execute arbitrary code. Prior to version 6.1.11, he USBX DFU UPLOAD functionality may be utilized to introduce a buffer overflow resulting in overwrite of memory contents. An attacker must attach a keyboard to a USB port, press F12, and then escape from the kiosk mode.Īzure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. Konica Minolta bizhub MFP devices before allow a Sandbox Escape. Improper validation of integrity check vulnerability in Samsung USB Driver Windows Installer for Mobile Phones prior to version 1.7.56.0 allows local attackers to delete arbitrary directory using directory junction. Successful exploitation of this vulnerability may affect system availability. The AT commands of the USB port have an out-of-bounds read vulnerability. allows an administrator (who ordinarily does not have a supported way to uninstall the product) to disable some of the agent functionality and then exfiltrate files to an external USB device.