I am working on a project, in which we are using nRF Connect SDK v2.9.0 on a custom board with the nRF5340 SoC. The device is a BLE peripheral implementing a couple of GATT services.
While checking the software dependencies in our project for known vulnerabilities, I encountered the following security advisories from the Zephyr project, which I believe are applicable in our project:
All of these issues have been fixed in Zephyr v4.2.0, but nRF Connect SDK v2.9.0 includes an older version of Zephyr (v3.7.99-ncs2). I assume this was forked from upstream Zephyr v3.7.x and includes additional patches, but I don't believe fixes for the vulnerabilities listed above were included.
I find it difficult to judge the impact of these vulnerabilities, as I am not familiar with the inner workings of the Zephyr BLE stack. As far as I understand, an exploit of any of these requires an attacker to send a (sequence of) specially crafted packet(s) and the result would be, in most cases, a denial of service (either by breaking an existing connection, or by crashing the device). The first 3 vulnerabilities in the list also mention memory corruption through buffer overflows, which could, theoretically, be used to execute malicious code.
In our use-case we can tolerate DoS caused by malicious actors, but an attacker being able to execute their own code on our device is definitely something we must prevent.
So how serious are these actually? Which tools would you need to exploit these vulnerabilities?
