A heap overflow vulnerability was found in openslp, that may result in remote code execution.
Created attachment 1640334 [details] Patch openslp 1.2.0
Created attachment 1640335 [details] Patch openslp 2.0.0
Public via: https://seclists.org/oss-sec/2019/q4/129 https://www.vmware.com/security/advisories/VMSA-2019-0022.html Lifting embargo.
External References: https://www.vmware.com/security/advisories/VMSA-2019-0022.html
The `result` buffer in function ProcessSrvRqst() in file slpd/slpd_process.c is reallocated after computing the expected `size`. However, the size is computed using the `urllen` fields from each SLPUrlEntry, while the memcpy in that same function may use the `opaquelen` of the SLPUrlEntry, which could be bigger than the urllen and result in a heap-based buffer overflow. This could result in a crash or in code execution.
Statement: This issue did not affect the versions of openslp as shipped with Red Hat Enterprise Linux 8 as they did not include the slpd service component.
Mitigation: There is no known mitigation.
The URL entries parsed by ProcessSrvRqst() are the ones registered by a service during a SrvReg message, which is used to register a new service. An unauthenticated attacker on the LAN can register a new service with specially crafted URLs that, when parsed during a SrvRqst message - generally used to discover existing services - may trigger the flaw and cause an heap-based buffer overflow, leading to a crash or remote code execution.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:4240 https://access.redhat.com/errata/RHSA-2019:4240
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-5544
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0199 https://access.redhat.com/errata/RHSA-2020:0199