Bug 1943533 (CVE-2021-20294)

Summary: CVE-2021-20294 binutils: stack buffer overflow WRITE may lead to a DoS via a crafted ELF
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adscvr, ailan, aoliva, caswilli, dvlasenk, erik-fedora, fweimer, jakub, jmitchel, jsamir, jtanner, kaycoth, kshier, ktietz, manisandro, marcandre.lureau, mcermak, mpolacek, mprchlik, nickc, ohudlick, orabin, rhel8-maint, rjones, sipoyare, sthirugn, virt-maint, vkrizan, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: binutils 2.35.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in binutils' readelf program. An attacker who is able to convince a victim using readelf to read a crafted file, could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1947304, 1943534, 1943535, 1945432, 1945433, 1945434, 1945435, 1945436, 1945437, 1945438, 1945439, 1947298, 1947299, 1947300, 1947301, 1947302, 1947303    
Bug Blocks: 1938941, 1943536    

Description Marian Rehak 2021-03-26 11:24:06 UTC 
allows remote attackers to cause a denial of service (stack buffer overflow) or possibly have unspecified other impacts via a crafted ELF

External Reference:

https://sourceware.org/bugzilla/show_bug.cgi?id=26929
Comment 1 Marian Rehak 2021-03-26 11:25:16 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1943534]


Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1943535]
Comment 2 Siddhesh Poyarekar 2021-03-26 12:40:55 UTC 
This bug is in the readelf binary (which is not a service) and not bfd (which a service could link to and hence be susceptible to a DoS) so this is just a crash, not a DoS.  This should not be considered a security bug.
Comment 8 Marian Rehak 2021-03-31 09:24:32 UTC 
Acknowledgments:

Name: Hao Wang
Comment 9 Todd Cullum 2021-03-31 15:13:56 UTC 
Mitigation:

Stack canaries, non-executable stack (NX), address space layout randomization (ASLR) are binary hardening protections enabled in Red Hat Enterprise Linux 7 and 8 that should greatly limit the impact of this flaw. An additional mitigation is to not use readelf to read files from untrusted sources.

To learn more about binary hardening protections in Red Hat Enterprise Linux, please see https://access.redhat.com/articles/65299
Comment 12 Todd Cullum 2021-03-31 23:19:31 UTC 
In reply to comment #2:
> This bug is in the readelf binary (which is not a service) and not bfd
> (which a service could link to and hence be susceptible to a DoS) so this is
> just a crash, not a DoS.  This should not be considered a security bug.

It's not a DoS for the reason you mentioned and it requires a potential victim to run readelf on an untrusted file (thus not "remote"), but it does have a stack buffer overflow out-of-bounds write of attacker-supplied data. Therefore, Red Hat Product Security has kept it as a security vulnerability and assigned a CVE.