Full Report
Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards. The flaws matter because FatFs is nearly everywhere. It ships inside the firmware that runs security cameras, drones, industrial controllers, hardware crypto wallets, and other devices built on
Analysis Summary
The following summary provides a technical breakdown of the vulnerabilities discovered by runZero in the **FatFs** filesystem library, collectively referred to as "FatFs Vulnerabilities."
# Vulnerability: Multiple Memory Safety Issues in FatFs Middleware
## CVE Details
*Note: Seven vulnerabilities were identified; primary high-impact examples are listed below.*
* **CVE ID:** CVE-2024-52306, CVE-2024-52307, CVE-2024-52308, CVE-2024-52309, CVE-2024-52310, CVE-2024-52311, CVE-2024-52312
* **CVSS Score:** Up to 8.1 (High)
* **CWE:** CWE-120 (Buffer Copy without Checking Size), CWE-190 (Integer Overflow), CWE-125 (Out-of-bounds Read), CWE-787 (Out-of-bounds Write)
## Affected Systems
* **Products:** Devices utilizing the FatFs filesystem library (e.g., security cameras, drones, PLCs, hardware wallets).
* **Versions:** FatFs versions prior to **R0.15p3**.
* **Configurations:** Systems configured to handle exFAT partitions or long filenames (LFN) are at higher risk.
## Vulnerability Description
The vulnerabilities stem from improper validation of metadata when mounting or reading a FAT/exFAT filesystem. Specifically:
* **Integer Overflows:** Inadequate bounds checking when calculating cluster sizes or directory entry offsets.
* **Buffer Overflows:** Occur during the processing of long filenames (LFN) and the parsing of the FAT table.
* **Out-of-bounds access:** Maliciously crafted filesystem headers (Boot Sector/BIOS Parameter Block) can force the library to read or write memory outside of the allocated buffer.
## Exploitation
* **Status:** Proof of Concept (PoC) developed by runZero; no known active exploitation in the wild at this time.
* **Complexity:** Medium (Requires crafting a specific filesystem image).
* **Attack Vector:** Local/Physical (via a malicious USB drive or SD card). In some IoT scenarios, it could be triggered via Network if the device accepts disk images over the air.
## Impact
* **Confidentiality:** Medium (Potential memory disclosure).
* **Integrity:** High (Potential for arbitrary code execution or memory corruption).
* **Availability:** High (System crash, kernel panic, or permanent bricking of embedded firmware).
## Remediation
### Patches
* **Update to FatFs R0.15p3 or later.** Developers must integrate the latest source code from the official FatFs project page into their firmware builds and push updates to end-user devices.
### Workarounds
* **Disable exFAT Support:** If the application does not require exFAT, compiling the library without `FF_FS_EXFAT` reduces the attack surface.
* **Input Validation:** Implement hardware-level checks or OS-level partitions that restrict the library from accessing sensitive memory regions.
* **Physical Security:** Restrict physical access to USB/SD ports on critical industrial or security hardware.
## Detection
* **Static Analysis:** Use Grep or Semgrep to identify old FatFs versions in source code (look for `ff.c` and `ff.h` headers).
* **Fuzzing:** Vendors should use filesystem fuzzers (like AFL++) against their implementation of the `f_mount` and `f_open` functions.
* **IO Monitoring:** Monitor for anomalous system crashes or reboots immediately following the insertion of external media.
## References
* runZero Research: hxxps[://]www[.]runzero[.]com/blog/fatfs-vulnerabilities/
* FatFs Official Site: hxxp[://]elm-chan[.]org/fsw/ff/00index_e[.]html
* NVD Registry: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2024-52306