[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: Multiple issues in GNU ZRTPCPP
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-06-30 22:27:55
Message-ID: 51D0B0EB.5030804 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/29/2013 08:05 AM, Dan Rosenberg wrote:
> I'd like to request CVEs for multiple security vulnerabilities 
> discovered, reported, and published by Mark Dowd of Azimuth
> Security in GNU ZRTPCPP, an open-source ZRTP implementation used in
> a number of "secure phone" solutions:
> 
> http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html

I
> 
guess since this is on the front page of Slashdot I should get the
CVEs for it out =)


> 1. Remote heap overflow
> 
> A remote attacker can cause a heap-based buffer overflow by sending
> an overly-large ZRTP packet of several possible types, including a
> "Hello" packet. Successful exploitation would allow an attacker to
> execute arbitrary code in the context of a vulnerable application.

Please use CVE-2013-2221 for this issue.

> 2. Multiple remote stack overflows
> 
> A remote attacker can cause multiple stack-based buffer overflows
> by sending a malformed ZRTP Hello packet with an overly-large value
> in certain fields, including the count of public keys. Exploitation
> may be difficult due to the details of the layout of stack
> variables in memory, but successful exploitation would allow an
> attacker to execute arbitrary code in the context of a vulnerable
> application.

Please use CVE-2013-2222 for this issue.

> 3. Multiple remote heap memory disclosures
> 
> By sending a truncated ZRTP Ping packet, the response packet will 
> include several bytes of the affected application's heap memory due
> to a lack of validation on the incoming packet. This flaw could be
> exploited to gain knowledge about the heap state of an affected
> application to enable further attacks, or potentially reveal
> sensitive information stored on the heap.

Please use CVE-2013-2223 for this issue.

> The fixes for all of these flaws were included in the following
> commit: 
> https://github.com/wernerd/ZRTPCPP/commit/c8617100f359b217a974938c5539a1dd8a120b0e
>
> 
> 
> Regards, Dan
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR0LDrAAoJEBYNRVNeJnmTLXMP/1yzS8rnivHC8AbDHl9QVmSI
tX5qPZpnS9mnXgy7W11nChZFCsh2C6Q6DXge4kB5b45QHll4+hAyUueVWhS2WhAb
Qx0v1+NBHbSvp4sDlX5WzkoSY7a+ce94uPczdjvQK33Xoka5GTEFXt0rv59SSeSa
tskErR52E6nI+GQBhG1FJqzLxe3vsAr06Mc6EW1mbYyrXwNAJfA0QdVZPbNHMxeX
hqkRXBGsESLHI2JHNRJXcznd9nKVqWk2alkmsBDdVvbyvdtCNdMDCIg5lVjFszuR
GEdDLHH5enzXL3VQ3XhCzg+yJSNS2Z2T7Y2tNW354Qi80Rn1TRsSDCSaGvzK+gNU
42VRrSei6mHpRGiCWGwb9fE2E1YYfeodEAqD5Bf1Sbctuk6exHRRNmzTrgs2iJId
UVJY2AD79cNn318oL3Rj57XdswDvpNlpnGkzp8T/v4LT99VrhrRN/S4YZlp4j8l1
B71HYp7wNMKPiI+y4O2kltPXOts9Da2k8m/v0f7Rkm19+p0gbDX+ANgqmO92fGol
rQk+9rlNnvtyjfdvYo6XEWKdhhWYjobFZvQEzTARHJ7E288B/fHO4xOqy2s5dy8Q
RKAmPpoTCoB6JJRn96PH8ISasMu83msh0cm/6S9y63XVduFgeezK9ZjvWzJasQTe
n7gJWS9XcD/SjmSWQQkh
=qje4
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]