VuXML ID | Description |
f56669f5-d799-4ff5-9174-64a6d571c451 | bro -- Null pointer dereference and Signed integer overflow
Jon Siwek of Corelight reports:
This is a security patch release to address potential
Denial of Service vulnerabilities:
-
Null pointer dereference in the RPC analysis code. RPC
analyzers (e.g. MOUNT or NFS) are not enabled in the
default configuration.
-
Signed integer overflow in BinPAC-generated parser code.
The result of this is Undefined Behavior with respect to
the array bounds checking conditions that BinPAC generates,
so it's unpredictable what an optimizing compiler may
actually do under the assumption that signed integer
overlows should never happen. The specific symptom which
lead to finding this issue was with the PE analyzer causing
out-of-memory crashes due to large allocations that were
otherwise prevented when the array bounds checking logic
was changed to prevent any possible signed integer overlow.
Discovery 2019-06-22 Entry 2019-08-09 bro
< 2.6.3
https://raw.githubusercontent.com/zeek/zeek/1d874e5548a58b3b8fd2a342fe4aa0944e779809/NEWS
|
55571619-454e-4769-b1e5-28354659e152 | bro -- invalid memory access or heap buffer over-read
Jon Siwek of Corelight reports:
This is a security patch release to address a potential
Denial of Service vulnerability:
-
The NTLM analyzer did not properly handle AV Pair sequences
that were either empty or unterminated, resulting in
invalid memory access or heap buffer over-read. The NTLM
analyzer is enabled by default and used in the analysis
of SMB, DCE/RPC, and GSSAPI protocols.
Discovery 2019-08-28 Entry 2019-09-17 bro
< 2.6.4
https://raw.githubusercontent.com/zeek/zeek/3b5a9f88ece1d274edee897837e280ef751bde94/NEWS
|
b80f039d-579e-4b82-95ad-b534a709f220 | bro -- "Magellan" remote code execution vulnerability in bundled sqlite
Bro Network security Monitor reports:
Bro 2.6.1 updates the embedded SQLite to version 3.26.0
to address the "Magellan" remote code execution vulnerability.
The stock Bro configuration/scripts don't use SQLite by
default, but custom user scripts/packages may.
Discovery 2018-12-01 Entry 2018-12-20 bro
< 2.6.1
https://www.bro.org/download/NEWS.bro.html
|
177fa455-48fc-4ded-ba1b-9975caa7f62a | bro -- Unsafe integer conversions can cause unintentional code paths to be executed
Jon Siwek of Corelight reports:
The following Denial of Service vulnerabilities are addressed:
- Integer type mismatches in BinPAC-generated parser code
and Bro analyzer code may allow for crafted packet data
to cause unintentional code paths in the analysis logic
to be taken due to unsafe integer conversions causing the
parser and analysis logic to each expect different fields
to have been parsed. One such example, reported by Maksim
Shudrak, causes the Kerberos analyzer to dereference a
null pointer. CVE-2019-12175 was assigned for this issue.
- The Kerberos parser allows for several fields to be left
uninitialized, but they were not marked with an &optional
attribute and several usages lacked existence checks.
Crafted packet data could potentially cause an attempt
to access such uninitialized fields, generate a runtime
error/exception, and leak memory. Existence checks and
&optional attributes have been added to the relevent
Kerberos fields.
- BinPAC-generated protocol parsers commonly contain fields
whose length is derived from other packet input, and for
those that allow for incremental parsing, BinPAC did not
impose a limit on how large such a field could grow,
allowing for remotely-controlled packet data to cause
growth of BinPAC's flowbuffer bounded only by the numeric
limit of an unsigned 64-bit integer, leading to memory
exhaustion. There is now a generalized limit for how
large flowbuffers are allowed to grow, tunable by setting
"BinPAC::flowbuffer_capacity_max".
Discovery 2019-05-29 Entry 2019-05-31 bro
< 2.6.2
CVE-2017-12175
|
746d04dc-507e-4450-911f-4c41e48bb07a | bro -- out of bounds write allows remote DOS
Frank Meier:
Bro before Bro v2.5.2 is vulnerable to an out of bounds write in the ContentLine analyzer allowing remote attackers to cause a denial of service (crash) and possibly other exploitation.
Discovery 2017-10-16 Entry 2018-02-16 bro
< 2.5.2
http://blog.bro.org/2017/10/bro-252-242-release-security-update.html
|
2f4fd3aa-32f8-4116-92f2-68f05398348e | bro -- multiple memory allocation issues
Corelight reports:
Bro 2.5.4 primarily fixes security issues
Multiple fixes and improvements to BinPAC generated code related to array parsing, with potential impact to all Bro's BinPAC-generated analyzers in the form of buffer over-reads or other invalid memory accesses depending on whether a particular analyzer incorrectly assumed that the evaulated-array-length expression is actually the number of elements that were parsed out from the input.
The NCP analyzer (not enabled by default and also updated to actually work with newer Bro APIs in the release) performed a memory allocation based directly on a field in the input packet and using signed integer storage. This could result in a signed integer overflow and memory allocations of negative or very large size, leading to a crash or memory exhaustion. The new NCP::max_frame_size tuning option now limits the maximum amount of memory that can be allocated.
Discovery 2018-05-29 Entry 2018-06-06 bro
< 2.5.4
https://www.bro.org/download/NEWS.bro.html
|
044cff62-ed8b-4e72-b102-18a7d58a669f | bro -- integer overflow allows remote DOS
Philippe Antoine of Catena cyber:
This is a security release that fixes an integer overflow in code generated by binpac. This issue can be used by remote attackers to crash Bro (i.e. a DoS attack). There also is a possibility this can be exploited in other ways. (CVE pending.)
Discovery 2018-02-14 Entry 2018-02-16 bro
< 2.5.3
http://blog.bro.org/2018/02/bro-253-released-security-update.html
|
d0be41fe-2a20-4633-b057-4e8b25c41780 | bro -- array bounds and potential DOS issues
Corelight reports:
Bro 2.5.5 primarily addresses security issues:
- Fix array bounds checking in BinPAC: for arrays
that are fields within a record, the bounds check
was based on a pointer to the start of the record
rather than the start of the array field, potentially
resulting in a buffer over-read.
- Fix SMTP command string comparisons: the number
of bytes compared was based on the user-supplied
string length and can lead to incorrect matches.
e.g. giving a command of "X" incorrectly matched
"X-ANONYMOUSTLS" (and an empty commands match
anything).
Address potential vectors for Denial of Service:
- "Weird" events are now generally suppressed/sampled
by default according to some tunable parameters.
- Improved handling of empty lines in several text
protocol analyzers that can cause performance issues
when seen in long sequences.
- Add `smtp_excessive_pending_cmds' weird which
serves as a notification for when the "pending
command" queue has reached an upper limit and been
cleared to prevent one from attempting to slowly
exhaust memory.
Discovery 2018-08-28 Entry 2018-08-29 bro
< 2.5.5
https://www.bro.org/download/NEWS.bro.html
|