cve-2021-43997
Vulnerability from cvelistv5
Published
2021-11-17 00:00
Modified
2024-08-04 04:10
Severity ?
Summary
FreeRTOS versions 10.2.0 through 10.4.5 do not prevent non-kernel code from calling the xPortRaisePrivilege internal function to raise privilege. FreeRTOS versions through 10.4.6 do not prevent a third party that has already independently gained the ability to execute injected code to achieve further privilege escalation by branching directly inside a FreeRTOS MPU API wrapper function with a manually crafted stack frame. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with MPU support enabled (i.e. configENABLE_MPU set to 1). These are fixed in V10.5.0 and in V10.4.3-LTS Patch 3.
References
cve@mitre.orghttps://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.3-LTS-Patch-2Release Notes, Third Party Advisory
cve@mitre.orghttps://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.3-LTS-Patch-3
cve@mitre.orghttps://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.6Release Notes, Third Party Advisory
cve@mitre.orghttps://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.5.0
af854a3a-2127-422b-91ae-364da2661108https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.3-LTS-Patch-2Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.3-LTS-Patch-3
af854a3a-2127-422b-91ae-364da2661108https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.6Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.5.0
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:10:16.905Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.3-LTS-Patch-2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.5.0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.3-LTS-Patch-3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FreeRTOS versions 10.2.0 through 10.4.5 do not prevent non-kernel code from calling the xPortRaisePrivilege internal function to raise privilege. FreeRTOS versions through 10.4.6 do not prevent a third party that has already independently gained the ability to execute injected code to achieve further privilege escalation by branching directly inside a FreeRTOS MPU API wrapper function with a manually crafted stack frame. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with MPU support enabled (i.e. configENABLE_MPU set to 1). These are fixed in V10.5.0 and in V10.4.3-LTS Patch 3."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-11T00:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.3-LTS-Patch-2"
        },
        {
          "url": "https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.6"
        },
        {
          "url": "https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.5.0"
        },
        {
          "url": "https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.3-LTS-Patch-3"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-43997",
    "datePublished": "2021-11-17T00:00:00",
    "dateReserved": "2021-11-17T00:00:00",
    "dateUpdated": "2024-08-04T04:10:16.905Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-43997\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-11-17T21:15:07.780\",\"lastModified\":\"2024-11-21T06:30:10.423\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FreeRTOS versions 10.2.0 through 10.4.5 do not prevent non-kernel code from calling the xPortRaisePrivilege internal function to raise privilege. FreeRTOS versions through 10.4.6 do not prevent a third party that has already independently gained the ability to execute injected code to achieve further privilege escalation by branching directly inside a FreeRTOS MPU API wrapper function with a manually crafted stack frame. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with MPU support enabled (i.e. configENABLE_MPU set to 1). These are fixed in V10.5.0 and in V10.4.3-LTS Patch 3.\"},{\"lang\":\"es\",\"value\":\"Las versiones de FreeRTOS versiones10.2.0 hasta la 10.4.5 no evitan que el c\u00f3digo que no es del n\u00facleo llame a la funci\u00f3n interna xPortRaisePrivilege para elevar el privilegio. Las versiones de FreeRTOS hasta la 10.4.6 no impiden que un tercero que ya haya obtenido de forma independiente la capacidad de ejecutar c\u00f3digo inyectado consiga una mayor elevaci\u00f3n de privilegios bifurc\u00e1ndose directamente dentro de una funci\u00f3n envolvente de la API de FreeRTOS MPU con un marco de pila manipulado manualmente. Estos problemas afectan a los puertos ARMv7-M MPU, y a los puertos ARMv8-M con soporte MPU habilitado (es decir, configENABLE_MPU establecido en 1). Estos problemas se han solucionado en V10.5.0 y en V10.4.3-LTS Parche 3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":7.2,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":3.9,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:amazon:freertos:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"10.2.0\",\"versionEndExcluding\":\"10.4.6\",\"matchCriteriaId\":\"4FB285CB-30B9-4537-9AC8-7C0BF1643D05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:amazon:freertos:10.4.3:patch1:*:*:lts:*:*:*\",\"matchCriteriaId\":\"95529D7D-3DBE-4227-811F-BBE6F0281CFE\"}]}]}],\"references\":[{\"url\":\"https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.3-LTS-Patch-2\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.3-LTS-Patch-3\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.6\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.5.0\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.3-LTS-Patch-2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.3-LTS-Patch-3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.4.6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/FreeRTOS/FreeRTOS-Kernel/releases/tag/V10.5.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.