Critical Flaw Hits Smart Home Devices

The critical vulnerability referenced in the initial report appears to be CVE-2023-7060, though its CVSS score is officially rated as 8.6, not 9.4. This flaw resides in the network stack of Zephyr OS and pertains to a failure to properly handle IP address spoofing, which can lead to denial-of-service attacks or bypass security controls. The vulnerability was discovered by researchers at the Synopsys Cybersecurity Research Center (CyRC) and allows an attacker to send IP packets with a falsified source address that the system would then trust. This could allow unauthorized access and data manipulation. The issue affects all unpatched versions of Zephyr OS that support IPv4 or IPv6. The Zephyr project has already integrated patches to address CVE-2023-7060 into the main branch and several release branches, including versions 3.5, 3.4, and the long-term support (LTS) version 2.7. The fixes prevent the network stack from accepting IP packets from an external interface with a source address that matches the local host or the destination address, which was the root cause of the vulnerability. Zephyr is a popular real-time operating system for resource-constrained embedded devices, including a wide range of smart home and IoT products. Its modularity and support for multiple architectures make it a common choice for developers. While not all Matter-compatible devices use Zephyr, its prevalence in the IoT sector means this vulnerability has a significant potential impact on the smart home ecosystem. This is not the first time security issues have been identified in Zephyr's network and Bluetooth stacks. Past vulnerabilities have also allowed for remote code execution or denial-of-service attacks. The open-source nature of Zephyr, however, facilitates a transparent process for vulnerability reporting and patching, with a dedicated security subcommittee that manages the disclosure and resolution of such flaws.