Skip to content

can: denial-of-service can be triggered by a crafted CAN frame

High
ceolin published GHSA-hx5v-j59q-c3j8 Oct 24, 2022

Package

zephyr (west)

Affected versions

<= 3.1

Patched versions

None

Description

Impact

During investigation of #47204 I discovered that this particular bug can be used for remote denial-of-service via CAN for MCUs using the Bosch M_CAN driver back-end for CAN communication.
This driver back-end is used for at least the NXP LPCxpresso5500 series, the ST STM32H7 series, ST STM32G4 series, ST STM32U5 series, Atmel SAME70 series, and Atmel SAMV71 series.

The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN network as the vulnerable node. The frame must have a CAN ID matching an installed filter in the vulnerable node (this can easily be guessed based on CAN traffic analyses). The frame must
contain the opposite RTR bit as what the filter installed in the vulnerable node contains (if the filter matches RTR frames, the frame must be a data frame or vice versa).

This carefully crafted frame will cause the Bosch M_CAN driver back-end interrupt service routine to enter an endless loop since the frame “wrongly" matching the filter is never acknowledged and thus keeps being read from the hardware FIFO.

Patches

For more information

If you have any questions or comments about this advisory:

embargo: 2022-10-14

Severity

High
8.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVE ID

CVE-2022-2741

Weaknesses

Credits