Garrett Metal Detectors: Security Theater via Stack Overflow
Vulnerability ID: CVE-2021-21901
CVSS Score: 9.8
Published: 2021-12-22
Garrett Metal Detectors, the ubiquitous guardians of airports and stadiums, embedded a critical stack-based buffer overflow in their iC Module network interface. By sending a malformed UDP packet to port 6877, an attacker can bypass the physical security layer entirely and execute arbitrary code on the device itself.
TL;DR
A critical RCE vulnerability exists in the Garrett iC Module used in PD 6500i and MZ 6100 metal detectors. The device listens on UDP port 6877 and blindly copies up to 512 bytes of data into a 256-byte stack buffer. This allows unauthenticated remote attackers to smash the stack, control the program counter, and potentially disable security features or pivot into the management network. CVSS 9.8.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-120 (Buffer Copy without Checking Size of Input)
- Attack Vector: Network (UDP 6877)
- CVSS v3.1: 9.8 (Critical)
- Impact: Remote Code Execution (RCE)
- Root Cause: Stack-based Buffer Overflow
- EPSS Score: 0.19%
Affected Systems
- Garrett iC Module CMA Version 5.0
- Garrett PD 6500i (equipped with CMA)
- Garrett MZ 6100 (equipped with CMA)
-
iC Module CMA: = 5.0 (Fixed in:
5.1)
Exploit Details
- Talos Intelligence: Original advisory containing crash dump and assembly analysis.
Mitigation Strategies
- Firmware Patching
- Network Segmentation
- Access Control Lists (ACLs)
Remediation Steps:
- Download the CMA Version 5.1 firmware update from the vendor portal.
- Apply the update to all iC Modules attached to PD 6500i and MZ 6100 units.
- Configure network firewalls to block UDP port 6877 from untrusted subnets.
- Isolate physical security devices on a dedicated VLAN with no internet access.
References
Read the full report for CVE-2021-21901 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)