MidnightBSD

Advisories for cypress

CVE-2018-19860 MEDIUM

Broadcom firmware before summer 2014 on Nexus 5 BCM4335C0 2012-12-11, Raspberry Pi 3 BCM43438A1 2014-06-02, and unspecifed other devices does not properly restrict LMP commnds and executes certain memory contents upon receiving an LMP command, as demonstrated by executing an HCI command.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
cypress cyw20730a1kml2g_firmware -
cypress cyw20706ua1kffb4g_firmware -
cypress cyw20730a1kmlgt_firmware -
cypress cyw20734ua1kffb3g_firmware -
cypress cyw20733a2kml1gt_firmware -
cypress cyw20704ua1kffb1g_firmware -
cypress cyw20733a3kfb1g_firmware -
cypress cyw20734ua2kffb3gt_firmware -
cypress cyw20703ua1kffb1g_firmware -
cypress cyw20733a1kfb1gt_firmware -
cypress cyw4354kkwbgt_firmware -
cypress cyw89072brfb5gt_firmware -
cypress cyw20706ua1kffb1gt_firmware -
cypress cyw20733a2kml1g_firmware -
cypress cyw20705a1kwfbgt_firmware -
cypress cyw20733a2kfb1g_firmware -
cypress cyw20706ua2kffb4gt_firmware -
cypress cyw20707va2pkwbgt_firmware -
broadcom bcm43438a1_firmware 2014-06-02
cypress cyw20733a2kfb1gt_firmware -
cypress cyw20707ua1kffb4gt_firmware -
cypress cyw20730a1kfbg_firmware -
cypress cyw20730a2kml2g_firmware -
cypress cyw4343wkubgt_firmware -
cypress cyw89071a1cubxgt_firmware -
cypress cyw20706ua1kffb1g_firmware -
cypress cyw20704ua1kffb1gt_firmware -
cypress cyw20730a1kfbgt_firmware -
cypress cyw20707a2kubgt_firmware -
cypress cyw20730a2kfbg_firmware -
cypress cyw20704ua2kffb1gt_firmware -
cypress cyw20707ua1kffb1g_firmware -
cypress cyw20734ua2kffb3g_firmware -
cypress cyw20733a3kml1g_firmware -
cypress cyw4354xkubgt_firmware -
broadcom bcm4335c0_firmware 2012-12-11
cypress cyw20730a1kmlg_firmware -
cypress cyw20702a1kwfbg_firmware -
cypress cyw20733a3kfb1gt_firmware -
cypress cyw20702a1kwfbgt_firmware -
cypress cyw20703ua1kffb1gt_firmware -
cypress cyw89072brfb5g_firmware -
cypress cyw20730a1kml2gt_firmware -
cypress cyw20733a3kfb2gt_firmware -
cypress cyw20705b0kwfbgt_firmware -
cypress cyw4343wkwbgt_firmware -
cypress cyw20707va1pkwbgt_firmware -
cypress cyw20702b0kwfbgt_firmware -
cypress cyw20707ua2kffb4gt_firmware -
cypress cyw20730a2kml2gt_firmware -
cypress cyw20702b0kwfbg_firmware -
cypress cyw20730a2kfbgt_firmware -
cypress cyw20733a3kml1gt_firmware -
cypress cyw89335l2cubgt_firmware -
cypress cyw43438kubgt_firmware -
cypress cyw4343w1kubgt_firmware -
cypress cyw89335lcubgt_firmware -
cypress cyw20734ua1kffb3gt_firmware -
cypress cyw20706ua2kffb4g_firmware -
cypress cyw20707ua2kffb4g_firmware -
cypress cyw20704ua2kffb1g_firmware -
cypress cyw20705b0kwfbg_firmware -
cypress cyw20707ua1kffb4g_firmware -
CVE-2019-13916 MEDIUM

An issue was discovered in Cypress (formerly Broadcom) WICED Studio 6.2 CYW20735B1 and CYW20819A1. As a Bluetooth Low Energy (BLE) packet is received, it is copied into a Heap (ThreadX Block) buffer. The buffer allocated in dhmulp_getRxBuffer is four bytes too small to hold the maximum of 255 bytes plus headers. It is possible to corrupt a pointer in the linked list holding the free buffers of the g_mm_BLEDeviceToHostPool Block pool. This pointer can be fully controlled by overflowing with 3 bytes of packet data and the first byte of the packet CRC checksum. The checksum can be freely chosen by adapting the packet data accordingly. An attacker might be able to allocate the overwritten address as a receive buffer resulting in a write-what-where condition. This is fixed in BT SDK2.4 and BT SDK2.45.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
cypress wiced_studio 6.2
CVE-2019-16336 LOW

The Bluetooth Low Energy implementation in Cypress PSoC 4 BLE component 3.61 and earlier processes data channel frames with a payload length larger than the configured link layer maximum RX payload size, which allows attackers (in radio range) to cause a denial of service (crash) via a crafted BLE Link Layer frame.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-120,

Products Affected

Vendor Product Version
cypress cyble-416045 *
cypress cybl11573 *
CVE-2019-17061 MEDIUM

The Bluetooth Low Energy (BLE) stack implementation on Cypress PSoC 4 through 3.62 devices does not properly restrict the BLE Link Layer header and executes certain memory contents upon receiving a packet with a Link Layer ID (LLID) equal to zero. This allows attackers within radio range to cause deadlocks, cause anomalous behavior in the BLE state machine, or trigger a buffer overflow via a crafted BLE Link Layer frame.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
cypress psoc_4_ble *
CVE-2019-18614 MEDIUM

On the Cypress CYW20735 evaluation board, any data that exceeds 384 bytes is copied and causes an overflow. This is because the maximum BLOC buffer size for sending and receiving data is set to 384 bytes, but everything else is still configured to the usual size of 1092 (which was used for everything in the previous CYW20719 and later CYW20819 evaluation board). To trigger the overflow, an attacker can either send packets over the air or as unprivileged local user. Over the air, the minimal PoC is sending "l2ping -s 600" to the target address prior to any pairing. Locally, the buffer overflow is immediately triggered by opening an ACL or SCO connection to a headset. This occurs because, in WICED Studio 6.2 and 6.4, BT_ACL_HOST_TO_DEVICE_DEFAULT_SIZE and BT_ACL_DEVICE_TO_HOST_DEFAULT_SIZE are set to 384.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
cypress cyw20735_firmware -
CVE-2020-11957 MEDIUM

The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4.2 component versions before 3.64 generates a random number (Pairing Random) with significantly less entropy than the specified 128 bits during BLE pairing. This is the case for both authenticated and unauthenticated pairing with both LE Secure Connections as well as LE Legacy Pairing. A predictable or brute-forceable random number allows an attacker (in radio range) to perform a MITM attack during BLE pairing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-331,

Products Affected

Vendor Product Version
cypress psoc_4.2_ble *
CVE-2021-34145 LOW

The Bluetooth Classic implementation in the Cypress WICED BT stack through 2.9.0 for CYW20735B1 devices does not properly handle the reception of LMP_max_slot with an invalid Baseband packet type (and LT_ADDRESS and LT_ADDR) after completion of the LMP setup procedure, allowing attackers in radio range to trigger a denial of service (firmware crash) via a crafted LMP packet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
cypress wireless_internet_connectivity_for_embedded_devices *
CVE-2021-34146 MEDIUM

The Bluetooth Classic implementation in the Cypress CYW920735Q60EVB does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service and restart (crash) of the device by flooding it with LMP_AU_Rand packets after the paging procedure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
cypress cyw920735q60evb-01_firmware -
cypress cyw20735b1_firmware -
CVE-2021-34147 MEDIUM

The Bluetooth Classic implementation in the Cypress WICED BT stack through 2.9.0 for CYW20735B1 does not properly handle the reception of a malformed LMP timing accuracy response followed by multiple reconnections to the link slave, allowing attackers to exhaust device BT resources and eventually trigger a crash via multiple attempts of sending a crafted LMP timing accuracy response followed by a sudden reconnection with a random BDAddress.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
cypress wireless_internet_connectivity_for_embedded_devices *
CVE-2021-34148 MEDIUM

The Bluetooth Classic implementation in the Cypress WICED BT stack through 2.9.0 for CYW20735B1 devices does not properly handle the reception of LMP_max_slot with a greater ACL Length after completion of the LMP setup procedure, allowing attackers in radio range to trigger a denial of service (firmware crash) via a crafted LMP packet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
cypress wireless_internet_connectivity_for_embedded_devices *
CVE-2023-47415

Cypress Solutions CTM-200 v2.7.1.5600 and below was discovered to contain an OS command injection vulnerability via the cli_text parameter.

Products Affected

Vendor Product Version
cypress ctm-200_firmware *