Vulnerabilities > CVE-2021-36357 - Incorrect Conversion between Numeric Types vulnerability in Openpowerfoundation Skiboot 2.6
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
An issue was discovered in OpenPOWER 2.6 firmware. unpack_timestamp() calls le32_to_cpu() for endian conversion of a uint16_t "year" value, resulting in a type mismatch that can truncate a higher integer value to a smaller one, and bypass a timestamp check. The fix is to use the right endian conversion function.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 1 |