Security vulnerabilities and automated fixes for firmware issues
8 posts found
A high-severity vulnerability in ESP32 firmware allowed attackers to trigger stack and heap corruption by sending malformed UART frames shorter than expected to an mmWave sensor driver. Multiple `memcpy` operations copied data into fixed-size local variables without first verifying the source buffer was large enough, opening the door to arbitrary code execution. The fix replaces magic-number length guards with `sizeof()`-based checks that are portable, self-documenting, and provably correct.
A critical out-of-bounds memory access vulnerability was discovered in the FatFSUSB library used by the micro-journal ESP32 firmware, where memcpy operations on a sector buffer accepted attacker-controlled offset and size values from USB SCSI commands without any bounds validation. A malicious USB host could craft SCSI READ/WRITE commands to corrupt memory, potentially crashing the device or executing arbitrary code. The fix adds a simple but essential bounds check before every memcpy operation,
A critical heap buffer overflow vulnerability was discovered and patched in a BLE (Bluetooth Low Energy) characteristic write handler, where missing bounds checks allowed any nearby Bluetooth device to send oversized payloads and potentially execute arbitrary code. This fix adds essential buffer-length validation before memory copy operations, closing a remote attack vector that required zero authentication to exploit. Understanding this class of vulnerability is essential for any developer work
A critical buffer overflow vulnerability was discovered and patched in the CRSF (Crossfire Serial Protocol) receiver packet handler, where attacker-controlled payload size fields were passed directly to `memcpy` without bounds checking. This class of vulnerability is particularly dangerous in embedded firmware because it can corrupt adjacent memory on microcontrollers, potentially allowing an attacker within RF range to hijack or crash a drone mid-flight. The fix adds proper size validation befo
A high-severity vulnerability was discovered and patched in firmware package handling code, where debug and monitoring endpoints were left exposed without any authentication, authorization, or IP restrictions. These endpoints leaked sensitive application internals including thread states, database connection pool statistics, and potentially sensitive data stored in thread-local storage. Left unpatched, this flaw could allow any unauthenticated attacker to map out application internals and pivot
A medium-severity vulnerability was discovered and patched in the PicoW ClockMaster firmware's MQTT client, where file import functionality lacked resource limits and the broker connection lacked authentication—allowing attackers on the same network to inject spoofed motor and LED commands. The fix introduces proper input validation, file size checks, JSON depth limits, and authenticated/encrypted MQTT connections. This case is a timely reminder that IoT firmware security requires the same rigor
A medium-severity vulnerability was discovered and patched in an IoT Over-the-Air (OTA) firmware update server, where a Flask route accepted firmware file uploads without any authentication. This flaw allowed any attacker with network access to push arbitrary firmware binaries to connected IoT devices — a potentially devastating supply chain attack vector. The fix introduces proper authentication controls, closing the door on unauthorized firmware injection.
A critical use-after-free vulnerability was discovered in ESP32 firmware's display buffer allocation error handling. When memory allocation fails, freed pointers aren't nullified, creating dangling references that attackers can exploit through controlled heap manipulation. This vulnerability demonstrates why proper pointer hygiene is essential in embedded systems security.