CVE-2024-43763: Dissecting a Potential Denial of Service Vulnerability in GATT_SR.CC

Hello fellow security enthusiasts!

Today, we'll dive into a recent vulnerability discovered in build_read_multi_rsp of gatt_sr.cc, which could potentially lead to a denial of service (DoS) attack. This vulnerability - assigned as CVE-2024-43763 - is intriguing because it doesn't require additional execution privileges or user interaction to be exploited, making it a particularly serious concern. In this post, we'll explore the code snippet, provide relevant links to original references, and delve into the details of exploiting this vulnerability.

The Vulnerability Details

First and foremost, let's talk about how this vulnerability came to be. It all began with a logic error in the build_read_multi_rsp function of the Generic Attribute Profile (GATT) server in the gatt_sr.cc file. For those unfamiliar with the GATT server, it is used to facilitate data exchange between Bluetooth devices via characteristic and descriptor values.

The logic error in question can be exploited remotely (via proximal or adjacent connections) allowing an attacker to create a denial of service condition on the target device. Since no additional execution privileges or user interaction is required to exploit this vulnerability, devices running any affected software should be addressed immediately.

Here is a snippet of the code containing the logic error in build_read_multi_rsp

src/gatt_sr.cc

tGATT_STATUS gatt_sr_build_read_multi_rsp(tGATT_TCB& tcb,
                                          tGATT_READ_MULTI_REQ* p_data,
                                          uint16_t& len_top_rsp,
                                          int mtu, BT_HDR& msg) {
  tGATT_STATUS reason=GATT_SUCCESS;
  auto p = tcb.cl_rcb.begin()->p_srv_cb;

  //logic error
  if (!p_data || p_data->num_handles == ) {
    return GATT_INVALID_HANDLE;
  } else {
    // Some other code
  }

  return reason;
}

As seen in the snippet, the vulnerability can emerge due to an incorrect condition check for p_data and p_data->num_handles, resulting in an unexpected return value of GATT_INVALID_HANDLE when there is no actual issue.

Original References

To gain a deeper insight into this vulnerability and its implications, here are some relevant links to original references:
- Original CVE details
- National Vulnerability Database
- Bluetooth SIG Core Specification

Exploiting the Vulnerability

Given that this vulnerability can be exploited remotely and without user interaction, it creates a potential risk for a wide range of devices using Bluetooth. An attacker could potentially leverage this flaw to create a denial of service condition, causing the target device to crash or malfunction.

To exploit this vulnerability, an attacker would need to create an adjacent or proximal connection to their target Bluetooth-enabled device and send malicious GATT requests that would trigger the logic error in the build_read_multi_rsp function. This would then lead to an unintended denial of service condition on the target device, disrupting its functionality.

In Conclusion

CVE-2024-43763 is a serious vulnerability that could potentially result in a denial of service attack on unpatched devices. Given that it doesn't require any additional execution privileges or user interaction to exploit, it is imperative to apply any necessary patches or updates to mitigate these potential risks. This vulnerability highlights the vigilance required when programming and auditing security-critical code. Stay informed and stay secure!

Timeline

Published on: 01/21/2025 23:15:13 UTC
Last modified on: 03/17/2025 17:15:29 UTC