CVE-2024-6135 – This CVE describes a heap-based buffer overflow... (How to Fix)

Q: What is the severity of CVE-2024-6135?

CVE-2024-6135 has a CVSS score of 7.6 (HIGH). This CVE describes a heap-based buffer overflow vulnerability in Zephyr RTOS Bluetooth Classic stack due to missing buffer length checks. Attackers can exploit this to execute arbitrary code or cause denial of service on affected devices. This affects systems running Zephyr RTOS with Bluetooth Classic functionality enabled.

📋 TL;DR

This CVE describes a heap-based buffer overflow vulnerability in Zephyr RTOS Bluetooth Classic stack due to missing buffer length checks. Attackers can exploit this to execute arbitrary code or cause denial of service on affected devices. This affects systems running Zephyr RTOS with Bluetooth Classic functionality enabled.

💻 Affected Systems

Products:

Zephyr RTOS

Versions: All versions prior to v3.7.1

Operating Systems: Zephyr RTOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Bluetooth Classic (BR/EDR) functionality enabled. BLE-only configurations are not vulnerable.

📦 What is this software?

Zephyr by Zephyrproject

View all CVEs affecting Zephyr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data exfiltration, or persistent backdoor installation.

🟠

Likely Case

Denial of service through device crashes or reboots, potentially disrupting Bluetooth connectivity and device functionality.

🟢

If Mitigated

Limited impact with proper network segmentation and Bluetooth security controls, potentially only causing temporary service disruption.

🌐 Internet-Facing: MEDIUM - Requires Bluetooth proximity (typically ~10m range) but can be exploited remotely within that range without authentication.

🏢 Internal Only: MEDIUM - Same technical risk but limited to physical proximity of attacker to vulnerable devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires Bluetooth proximity and knowledge of vulnerable devices. No authentication needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.7.1

Vendor Advisory: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xcr5-5g98-mchp

Restart Required: Yes

Instructions:

1. Update Zephyr RTOS to version 3.7.1 or later. 2. Rebuild and redeploy firmware to affected devices. 3. Verify Bluetooth Classic functionality is properly configured with security controls.

🔧 Temporary Workarounds

Disable Bluetooth Classic

all

Disable BR/EDR (Bluetooth Classic) functionality if not required, using BLE-only mode.

CONFIG_BT_CLASSIC=n in prj.conf or Kconfig

Enable Bluetooth Security

all

Enforce Bluetooth pairing and encryption to limit attack surface.

CONFIG_BT_SMP=y
CONFIG_BT_BONDING=y in prj.conf

🧯 If You Can't Patch

Segment Bluetooth network - isolate vulnerable devices from critical systems
Implement physical security controls to limit Bluetooth proximity access

🔍 How to Verify

Check if Vulnerable:

Check Zephyr version and Bluetooth Classic configuration: grep -r 'CONFIG_BT_CLASSIC' in build directory and check Zephyr version.

Check Version:

Check Zephyr version in project configuration or build output: cat VERSION or check west manifest

Verify Fix Applied:

Verify Zephyr version is 3.7.1 or later and review Bluetooth stack configuration for proper buffer handling.

📡 Detection & Monitoring

Log Indicators:

Bluetooth stack crashes
Unexpected device reboots
Memory corruption errors in system logs

Network Indicators:

Unusual Bluetooth connection attempts
Malformed Bluetooth packets
Excessive Bluetooth traffic

SIEM Query:

Device logs: (event_category="bluetooth" AND (event_type="crash" OR event_type="error")) OR (process="zephyr" AND exit_code!=0)

📊 Metadata

CVE ID: CVE-2024-6135

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-122

Published: September 13, 2024

Last Updated: September 19, 2024

🔗 References

https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xcr5-5g98-mchp Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6135, you might also want to check these: