NRF Connect SDK / NRFXLIB security vulnerabilities

Hello, I've been assigned you ticket and currently investigating internally. 

I hope to get back to you within Thursday or Friday this week. 

Kind regards,
Øyvind

Thanks Øyvind!

I have some additional questions as well based on me digging in more.

3. I think I misunderstood the `vulnerabilities.html` document as being the active vulnerabilities for the zephyr product.  After reading the top it seems like its the vulnerabilities RESOLVED for the current release.  Can you confirm?

4. I looked up the specific zephyr product/version in the NVD that I'm using ncs 1.4.2 and zephyr 2.4.0 (its a bit behind).  Would this be the correct list to reference for current vulnerabilities for the zephyr repo used within the nrf connect sdk?   

https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Ao%3Azephyrproject%3Azephyr%3A2.4.0%3A-%3A*%3A*%3A*%3A*%3A*%3A*

Hello again, and my apologies for the late reply. 

From what I'm informed we are in a process of publishing a public vulnerability list on our website but unfortunately this is still work in progress.  For mbed-TLS the list of vulnerability should be compared to the mbed-TLS public git repo. NCS 1.4.2 integrates v2.23.0 of mbed-TLS. However, Zephyr may also be using this version. Are you using MCUboot?

Jameson said:

4. I looked up the specific zephyr product/version in the NVD that I'm using ncs 1.4.2 and zephyr 2.4.0 (its a bit behind).  Would this be the correct list to reference for current vulnerabilities for the zephyr repo used within the nrf connect sdk?   

This seems to be an accurate list. Zephyr doesn't backport fixes to all previous versions, but unfortunately and in most cases when a vulnerability is found it affects all previous versions (or at least until the point the new piece of code was added). As the Zephyr version you are using is quite old, there is no surprise that it has some vulnerabilities

Kind regards,
Øyvind

Hello again, and my apologies for the late reply. 

From what I'm informed we are in a process of publishing a public vulnerability list on our website but unfortunately this is still work in progress.  For mbed-TLS the list of vulnerability should be compared to the mbed-TLS public git repo. NCS 1.4.2 integrates v2.23.0 of mbed-TLS. However, Zephyr may also be using this version. Are you using MCUboot?

Jameson said:

4. I looked up the specific zephyr product/version in the NVD that I'm using ncs 1.4.2 and zephyr 2.4.0 (its a bit behind).  Would this be the correct list to reference for current vulnerabilities for the zephyr repo used within the nrf connect sdk?   

This seems to be an accurate list. Zephyr doesn't backport fixes to all previous versions, but unfortunately and in most cases when a vulnerability is found it affects all previous versions (or at least until the point the new piece of code was added). As the Zephyr version you are using is quite old, there is no surprise that it has some vulnerabilities

Kind regards,
Øyvind

Thanks for the info!  Yea I think that answers things, I'll wait to hear when those public vulnerabilities are provided.  Until then I'm just going to rely on the NVD database for things.  

Øyvind said:

Are you using MCUboot?

No we are not using MCUboot.  We were very early integrators of the NRF9160 and for security reasons ended up making our own bootloader.