Security Advisory on "BadAlloc" Vulnerabilities

Security Advisory!Issue Summary !BadAlloc is a family of vulnerabilities related to integer overflows in heap handling functions in several RTOSes and libraries. The list of vulnerabilities can be found at https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04 .!• Impact These vulnerabilities occur when the attacker can cause an application to execute some type of memory allocation operation with an attacker-controlled size. This leads to an integer arithmetic overflow when calculating the size of the allocated memory, and subsequently to a heap buﬀer overflow or heap corruption.!• Vulnerability details ESP-IDF is aﬀected by the following vulnerabilities in FreeRTOS: CVE-2021-31571, CVE-2021-31572. ESP-IDF is NOT aﬀected by the vulnerability in Newlib: CVE-2021-3420.!ESP-IDF heap management routines include protection against this type of vulnerabilities since v3.1.4 and v3.2 releases. The oldest maintained release at the time of writing is v3.3.x. !CVE-2021-31571 is related to an overflow in xQueueCreate function and aﬀects ESP-IDF v3.x, v4.0.x until v4.0.3, v4.1.x until v4.1.2, v4.2.x until v4.2.2. ESP-IDF v4.3 and later is not aﬀected. Applications are aﬀected if an attacker can cause the application to call xQueueCreate with element size or element count values controlled by the attacker.!CVE-2021-31572 is related to an overflow in xStreamBuﬀerCreate function. It aﬀects only the following pre-release versions: v4.3-beta1, v4.3-beta2, v4.3-beta3. It doesn’t aﬀect any release versions. As in the TitleSecurity Advisory on "BadAlloc" VulnerabilitiesIssue date2021-10-27Advisory NumberAR2021-005Serial NumberCVE-2021-3420 CVE-2021-31571 CVE-2021-31572VersionV1.0/21 case with CVE-2021-31571, applications are aﬀected if the attacker can control the arguments of xStreamBuﬀerCreate function call.!Patched versions of ESP-IDF Customers using an older version and unable to upgrade can manually apply the following fixes:!• https://github.com/FreeRTOS/FreeRTOS-Kernel/commit/47338393f1f79558f6144213409f09f81d7c4837!• https://github.com/FreeRTOS/FreeRTOS-Kernel/commit/d05b9c123f2bf9090bce386a244fc934ae44db5b$(applies only to release/v4.3 branch until 788312a; older and newer versions are not aﬀected)!Recommendations for application developers Even in the absence of these vulnerabilities, an attacker able to control the sizes of memory allocations done by an application can cause denial of service by exhausting the device memory. We recommend sanitizing and validate the ranges of values received from untrusted sources before using these values in the application. For example, if a protocol or file format includes variable-length data prefixed by the length value, the application should check whether the length value is in the expected range before using it, for example, to allocate a buﬀer for the data.ESP-IDF ReleaseCommit IDMaster639e7adrelease/v4.3788312a, part of v4.3 releaserelease/v4.2fc7bf95, part of v4.2.2 releaserelease/v4.14922973, part of v4.1.2 releaserelease/v4.05ba7202, part of v4.0.3 releaserelease/v3.3fa00fd5, not part of any release yet. Will be included in v3.3.6 bugfix release./22