CVE-2022-36063 is a stack-based buffer overflow vulnerability identified in the Azure RTOS USBX component, specifically within the USB host support for the USB CDC ECM (Communications Device Class Ethernet Control Model) implementation. Azure RTOS USBX is an embedded USB stack integrated with Azure RTOS ThreadX, widely used in embedded devices across various industries. The vulnerability arises from improper handling of the MAC address string descriptor length in the function `_ux_host_class_cdc_ecm_mac_address_get`. When the MAC address string descriptor length is set to an unexpectedly small value such as 0 or 1, it triggers an integer underflow due to insufficient validation. This underflow subsequently leads to a buffer overflow in the `cdc_ecm->ux_host_class_cdc_ecm_node_id` array on the stack. Exploitation of this vulnerability could allow an attacker to overwrite the stack, potentially redirecting code execution flow or causing a denial of service (DoS) by crashing the system. The vulnerability affects all versions of USBX prior to 6.1.12, where the issue has been addressed by improved validation of the MAC address string descriptor length. No known exploits have been reported in the wild to date. The vulnerability is classified under CWE-121 (stack-based buffer overflow) and CWE-191 (integer underflow), indicating a critical memory corruption flaw triggered by arithmetic errors in input validation. Given the embedded nature of USBX and its integration with ThreadX, this vulnerability is particularly relevant for embedded systems that rely on USB CDC ECM functionality for network communication over USB interfaces.

For European organizations, the impact of this vulnerability depends largely on the deployment of embedded devices using Azure RTOS USBX with USB CDC ECM support. Potentially affected devices include industrial control systems, medical devices, IoT gateways, and network equipment that utilize USB-based Ethernet communication. Successful exploitation could lead to remote code execution, allowing attackers to gain control over the affected device, or cause denial of service, disrupting critical operations. This is particularly concerning for sectors such as manufacturing, healthcare, and critical infrastructure where embedded devices play a vital role. The ability to remotely exploit this vulnerability without authentication and with minimal user interaction increases the risk profile. Disruption or compromise of embedded devices could lead to operational downtime, data breaches, or serve as a foothold for lateral movement within networks. Given the increasing reliance on embedded systems in European industrial and critical infrastructure environments, this vulnerability poses a tangible risk to operational continuity and security.

1. Immediate upgrade to USBX version 6.1.12 or later to apply the official patch that includes improved validation of the MAC address string descriptor length. 2. For organizations unable to upgrade immediately, implement a workaround by adding strict validation checks on the MAC address string descriptor length to reject values of 0 or 1 before processing. 3. Conduct an inventory of embedded devices using Azure RTOS USBX with USB CDC ECM support to identify potentially vulnerable systems. 4. Employ network segmentation and strict access controls to limit exposure of embedded devices to untrusted networks, reducing the attack surface. 5. Monitor USB traffic and device behavior for anomalies indicative of exploitation attempts, such as unexpected USB device descriptors or crashes. 6. Collaborate with device manufacturers and vendors to ensure timely updates and patches are applied to embedded products in use. 7. Incorporate this vulnerability into vulnerability management and incident response plans, preparing for potential exploitation scenarios.