CVE-2023-5563 : Security Advisory and Response
Learn about CVE-2023-5563, a high-severity vulnerability in Zephyr versions up to 3.3, impacting SJA1000 CAN controller driver. Mitigation steps included.
This CVE-2023-5563 was assigned by Zephyr and was published on October 12, 2023. It affects Zephyr versions up to 3.3 due to a vulnerability in the SJA1000 CAN controller driver backend.
Understanding CVE-2023-5563
This section will delve into the details of CVE-2023-5563, including the vulnerability description, impact, affected systems, and mitigation steps.
What is CVE-2023-5563?
The vulnerability in CVE-2023-5563 lies in the SJA1000 CAN controller driver backend, which automatically attempts to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This action leads to calling k_sleep() in IRQ context, resulting in a fatal exception.
The Impact of CVE-2023-5563
The impact of this vulnerability is categorized as "HIGH" severity, with a CVSS base score of 7.1. It falls under CAPEC-74 Manipulating User State and can potentially lead to manipulation of user state.
Technical Details of CVE-2023-5563
In this section, we will explore the technical aspects of CVE-2023-5563, such as the vulnerability description, affected systems and versions, and exploitation mechanism.
Vulnerability Description
The vulnerability arises from the improper handling of exceptional conditions in the SJA1000 CAN controller driver backend, leading to a fatal exception when attempting to recover from a bus-off event.
Affected Systems and Versions
Zephyr versions up to 3.3 are affected by this vulnerability when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y.
Exploitation Mechanism
Exploiting this vulnerability involves triggering a bus-off event in the SJA1000 CAN controller driver backend to induce the fatal exception by calling k_sleep() in IRQ context.
Mitigation and Prevention
This section provides guidance on mitigating the risks associated with CVE-2023-5563 to ensure the security of affected systems.
Immediate Steps to Take
Developers and users are advised to update their Zephyr installations to versions beyond 3.3 or apply the necessary patches to address this vulnerability promptly.
Long-Term Security Practices
Implementing secure coding practices, regular security assessments, and staying informed about security updates can help prevent similar vulnerabilities in the future.
Patching and Updates
Regularly monitor security advisories from Zephyr and apply patches or updates promptly to protect systems from known vulnerabilities and security risks.