STM32Cube_MCU_Overall_Offer icon indicating copy to clipboard operation
STM32Cube_MCU_Overall_Offer copied to clipboard

Published 20 hours ago verified publisher icon STMicroelectronics

Vulnerable usb device middleware

Open szymonh opened this issue 3 years ago • 3 comments

The STM32Cube MCU Packages listed in this repository contain vulnerable usb device middleware. Multiple usb device classes are affected by buffer overflows allowing successful attacks on devices. The issue was reported to ST and resolved in march 2021 (https://github.com/stmicroelectronics/stm32_mw_usb_device/, release 2.8.0) but the fixed implementation was not incorporated in MCU specific Cube packages till now. So despite the fixes available users are still creating vulnerable applications for months. Furthermore the corresponding CVE-2021-38541 still was not published. The PSIRT team at [email protected] ignores my questions about updating Cube MCU Packages with up to date middleware and CVE.

Can you please provide some comment on this?

szymonh avatar Jan 12 '22 15:01 szymonh

@CCASTM Could you please provide some feedback with regards to this issue?

szymonh avatar Jan 20 '22 12:01 szymonh

@ST-dot-com I see that there is some communication issue - I can not receive a meaningful response neither from PSIRT via email nor here at github.

szymonh avatar Mar 19 '22 18:03 szymonh

@stmicroelectronics-github Can you please provide your feedback for this issue? When are you planning to publish the CVE and migrate the fixes?

szymonh avatar May 14 '22 09:05 szymonh