Bug 1777788 (CVE-2019-5544)
| Summary: | CVE-2019-5544 openslp: Heap-based buffer overflow in ProcessSrvRqst() in slpd_process.c leading to remote code execution | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||
| Severity: | urgent | Docs Contact: | |||||||
| Priority: | urgent | ||||||||
| Version: | unspecified | CC: | rschiron, security-response-team, vcrhonek, yozone | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: |
A heap overflow vulnerability was found in OpenSLP. An attacker could use this flaw to gain remote code execution.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2019-12-16 14:09:30 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1780754, 1781701, 1781702, 1781703, 1788447 | ||||||||
| Bug Blocks: | 1777792 | ||||||||
| Attachments: |
|
||||||||
|
Description
Marian Rehak
2019-11-28 10:39:59 UTC
Created attachment 1640334 [details]
Patch openslp 1.2.0
Created attachment 1640335 [details]
Patch openslp 2.0.0
Public via: https://seclists.org/oss-sec/2019/q4/129 https://www.vmware.com/security/advisories/VMSA-2019-0022.html Lifting embargo. External References: https://www.vmware.com/security/advisories/VMSA-2019-0022.html The `result` buffer in function ProcessSrvRqst() in file slpd/slpd_process.c is reallocated after computing the expected `size`. However, the size is computed using the `urllen` fields from each SLPUrlEntry, while the memcpy in that same function may use the `opaquelen` of the SLPUrlEntry, which could be bigger than the urllen and result in a heap-based buffer overflow. This could result in a crash or in code execution. Statement: This issue did not affect the versions of openslp as shipped with Red Hat Enterprise Linux 8 as they did not include the slpd service component. Mitigation: There is no known mitigation. The URL entries parsed by ProcessSrvRqst() are the ones registered by a service during a SrvReg message, which is used to register a new service. An unauthenticated attacker on the LAN can register a new service with specially crafted URLs that, when parsed during a SrvRqst message - generally used to discover existing services - may trigger the flaw and cause an heap-based buffer overflow, leading to a crash or remote code execution. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:4240 https://access.redhat.com/errata/RHSA-2019:4240 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-5544 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0199 https://access.redhat.com/errata/RHSA-2020:0199 |