8.1 CVE-2023-2794

Buffer Overflow
 

A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver().
https://nvd.nist.gov/vuln/detail/CVE-2023-2794

Categories

CWE-119 : Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. This term has many different meanings to different audiences. From a CWE mapping perspective, this term should be avoided where possible. Some researchers, developers, and tools intend for it to mean "write past the end of a buffer," whereas others use the same term to mean "any read or write outside the boundaries of a buffer, whether before the beginning of the buffer or after the end of the buffer." Others could mean "any action after the end of a buffer, whether it is a read or write." Since the term is commonly used for exploitation and for vulnerabilities, it further confuses things. Some prominent vendors and researchers use the term "buffer overrun," but most people use "buffer overflow." See the alternate term for "buffer overflow" for context. Generally used for techniques that avoid weaknesses related to memory access, such as those identified by CWE-119 and its descendants. However, the term is not formal, and there is likely disagreement between practitioners as to which weaknesses are implicitly covered by the "memory safety" term. This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. Incorrect URI normalization in application traffic product leads to buffer overflow, as exploited in the wild per CISA KEV. Buffer overflow in Wi-Fi router web interface, as exploited in the wild per CISA KEV. Classic stack-based buffer overflow in media player using a long entry in a playlist Heap-based buffer overflow in media player using a long entry in a playlist large precision value in a format string triggers overflow negative offset value leads to out-of-bounds read malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption chain: lack of synchronization leads to memory corruption Chain: machine-learning product can have a heap-basedbuffer overflow (CWE-122) when some integer-oriented bounds arecalculated by using ceiling() and floor() on floating point values(CWE-1339) attacker-controlled array index leads to code execution chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead. chain: incorrect calculations lead to incorrect pointer dereference and memory corruption product accepts crafted messages that lead to a dereference of an arbitrary pointer chain: malformed input causes dereference of uninitialized memory OS kernel trusts userland-supplied length value, allowing reading of sensitive information Chain: integer overflow in securely-coded mail program leads to buffer overflow. In 2005, this was regarded as unrealistic to exploit, but in 2020, it was rediscovered to be easier to exploit due to evolutions of the technology. buffer overflow involving a regular expression with a large number of captures chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119).

References


 

CPE

cpe start end


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
10 Buffer Overflow via Environment Variables
High
100 Overflow Buffers
Very High
123 Buffer Manipulation
Very High
14 Client-side Injection-induced Buffer Overflow
High
24 Filter Failure through Buffer Overflow
High
42 MIME Conversion
High
44 Overflow Binary Resource File
Very High
45 Buffer Overflow via Symbolic Links
High
46 Overflow Variables and Tags
High
47 Buffer Overflow via Parameter Expansion
High
8 Buffer Overflow in an API Call
High
9 Buffer Overflow in Local Command-Line Utilities
High