An issue was discovered in dec_patch_dictionary.cc in libjxl before 0.8.2. An integer underflow in patch decoding can lead to a denial of service, such as an infinite loop.

**Changed**

*   Security: Fix an integer underflow bug in patch decoding (#2551).

**Note:** This release is for evaluation purposes and may contain bugs, including security bugs, that may not be individually documented when fixed. See the SECURITY.md file for details. Always prefer to use the latest release.

Please provide feedback and report bugs here.

CVE-2023-35790: Release v0.8.2 · libjxl/libjxl

HP-UX could be exploited locally to create a Denial of Service (DoS) when any physical interface is configured with IPv6/inet6.  

CVE-2023-30903

An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 7 Jun 2023 11:32:31 +0800
From: Hangyu Hua <hbh25y@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: off-by-one in fl\_set\_geneve\_opt

Hi guys,

I find a off-by-one bug in linux kernel's Flower
classifier(NET\_CLS\_FLOWER). It can cause denial-of-service and privilege 
escalation.

# Details:

static int fl\_set\_geneve\_opt(const struct nlattr \*nla, struct 
fl\_flow\_key \*key,
      int depth, int option\_len,
      struct netlink\_ext\_ack \*extack)
{
struct nlattr \*tb\[TCA\_FLOWER\_KEY\_ENC\_OPT\_GENEVE\_MAX + 1\];
struct nlattr \*class = NULL, \*type = NULL, \*data = NULL;
struct geneve\_opt \*opt;
int err, data\_len = 0;

if (option\_len > sizeof(struct geneve\_opt))
data\_len = option\_len - sizeof(struct geneve\_opt);

opt = (struct geneve\_opt \*)&key->enc\_opts.data\[key->enc\_opts.len\]; <--- \[1\]
memset(opt, 0xff, option\_len);
opt->length = data\_len / 4;
opt->r1 = 0;
opt->r2 = 0;
opt->r3 = 0;

...
if (tb\[TCA\_FLOWER\_KEY\_ENC\_OPT\_GENEVE\_DATA\]) {
int new\_len = key->enc\_opts.len;

data = tb\[TCA\_FLOWER\_KEY\_ENC\_OPT\_GENEVE\_DATA\];
data\_len = nla\_len(data);
if (data\_len < 4) {
NL\_SET\_ERR\_MSG(extack, "Tunnel key geneve option data is less than 4
bytes long");
return -ERANGE;
}
if (data\_len % 4) {
NL\_SET\_ERR\_MSG(extack, "Tunnel key geneve option data is not a
multiple of 4 bytes long");
return -ERANGE;
}

new\_len += sizeof(struct geneve\_opt) + data\_len;
BUILD\_BUG\_ON(FLOW\_DIS\_TUN\_OPTS\_MAX != IP\_TUNNEL\_OPTS\_MAX);
if (new\_len > FLOW\_DIS\_TUN\_OPTS\_MAX) { <--- \[2\]
NL\_SET\_ERR\_MSG(extack, "Tunnel options exceeds max size");
return -ERANGE;
}
opt->length = data\_len / 4;
memcpy(opt->opt\_data, nla\_data(data), data\_len); <--- \[3\]
}
...
}

We can see that opt use key->enc\_opts.len to get its pointer from
key->enc\_opts.data\[\] in \[1\]. Then length will be set to "data\_len /
4". The bug is that if we send two TCA\_FLOWER\_KEY\_ENC\_OPTS\_GENEVE
packets and their total size is 252 bytes(key->enc\_opts.len = 252)
then key->enc\_opts.len = opt->length = data\_len / 4 when the third
TCA\_FLOWER\_KEY\_ENC\_OPTS\_GENEVE packet enters fl\_set\_geneve\_opt. This
can bypass the check in \[2\] and cause out of bound write in
\[3\](opt->opt\_data = key->enc\_opts.data\[257\]).

# Patch

I already contacted the linux security team and made a patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/sched?id=4d56304e5827c8cc8cc18c75343d283af7c4825c

# CVE

Pending

# EXP

In order to avoid confusion i will publish it after I get CVE.

Thanks,
Hangyu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-35788: security - Linux kernel: off-by-one in fl_set_geneve_opt

A stack-based buffer overflow issue was found in ImageMagick's coders/tiff.c. This flaw allows an attacker to trick the user into opening a specially crafted malicious tiff file, causing an application to crash, resulting in a denial of service.

Expand Up

@@ -2001,6 +2001,11 @@ static Image \*ReadTIFFImage(const ImageInfo \*image\_info,

if (HeapOverflowSanityCheck(rows,sizeof(\*tile\_pixels)) != MagickFalse)

ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");

extent=MagickMax(rows\*TIFFTileRowSize(tiff),TIFFTileSize(tiff));

#if defined(TIFF\_VERSION\_BIG)

extent+=image->columns\*sizeof(uint64);

#else

extent+=image->columns\*sizeof(uint32);

#endif

tile\_pixels=(unsigned char \*) AcquireQuantumMemory(extent,

sizeof(\*tile\_pixels));

if (tile\_pixels == (unsigned char \*) NULL)

Expand Down

CVE-2023-3195: fix stack overflow when parsing malicious tiff image · ImageMagick/ImageMagick@f620340

A heap use after free issue was discovered in ImageMagick's ReplaceXmpValue() function in MagickCore/profile.c. An attacker could trick user to open a specially crafted file to convert, triggering an heap-use-after-free write error, allowing an application to crash, resulting in a denial of service.

'2214149?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-34475: Invalid Bug ID

A heap-based buffer overflow issue was discovered in ImageMagick's ReadTIM2ImageData() function in coders/tim2.c. A local attacker could trick the user in opening specially crafted file, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.

'2214148?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-34474: Invalid Bug ID

To properly secure DNS infrastructure, organizations need strong security hygiene and records management, as well as DNS traffic monitoring and filtering.

As a core backbone of the infrastructure, Domain Name Service (DNS) acts as the phone book of the Internet. It helps route users hunting for a specific domain name and connects them to the resources of the IP address connected to that domain. When it runs the way it is supposed to, it is nearly invisible to the typical user — and even to many technical administrators. This lends an air of obscure simplicity that leads many organizations to assume that DNS is a background service that doesn't require more than basic protection and is covered by other Web and email defenses.

That couldn't be further from the truth. A new report from Dark Reading outlines the threats against DNS and what organizations should do to secure DNS infrastructure.

Some of the most common DNS attacks include:

*   Denial of service, which overwhelms DNS services with traffic to disrupt or disable DNS service at an organization.
*   DNS cache poisoning, which manipulates the DNS cache to redirect users trying to go to a legitimate domain to a malicious IP address.
*   DNS hijacking, which changes the DNS records of a domain to redirect users to a malicious IP.
*   DNS tunneling, which leverages outbound DNS traffic to smuggle malicious data from malware exploitation back to attackers' C2 infrastructure.
*   Dangling DNS, which takes over an unused subdomain on cloud and other infrastructure to impersonate a brand or use as a foothold for other attacks.

To ensure the proper security of DNS infrastructure, organizations need a solid combination of strong security hygiene around DNS infrastructure and records management, close monitoring of DNS traffic, effective filtering, and deployment of more advanced protocols, like DNSSEC. The cost of not employing these measures can be high. The average cost of a successful DNS attack is upward of $1 million.

When attacks happen, sometimes the best that many organizations can do is to literally pull the plug on their DNS or network infrastructure.

The Dark Reading report, "Everything You Need to Know About DNS Attacks," explores the nuances of the DNS security awareness gap, including why organizations are struggling to implement a full slate of DNS security measures and what it will take to combat these common DNS attacks. The report examines how to harden DNS infrastructure from attacks, the importance of creating more visibility around DNS, and how DNS protection measures can actually be used to improve other areas of cybersecurity awareness.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Getting Over the DNS Security Awareness Gap

The DDoS collective claims to be teaming up with ReVIL and Anonymous Sudan for destructive financial attacks in retaliation for US aid in Ukraine, but the partnerships (and danger) are far from verified.

The pro-Russian hacktivist collective known as Killnet claims to be working in concert with a resurgent form of the notorious ReVIL ransomware gang. The goal? To mount an attack on the Western financial system.

The group is warning that attacks are imminent, as in the next day or so; but it's unclear whether the threats amount to anything more than bluster and saber-rattling, particularly given Killnet's past track record of, at most, carrying out mildly disruptive distributed denial of service (DDoS) attacks.

Even so, in a video posted on a Russian Telegram channel on June 16, Killnet made ominous threats against the SWIFT banking system (famously targeted by Lazarus in 2018); the Wise international wire transfer system; the SEPA intra-Europe payments service; central banks in Europe and the US (i.e., the Federal Reserve); and other institutions.

"The post claims that threat actors from Killnet, REvil, and Anonymous Sudan will unite for the campaign," according to ZeroFox researchers, writing in a flash alert on the threat. "Killnet indicates that the attack is motivated by the US providing weapons to aid Ukraine, stating: 'repel the maniacs according to the formula, no money — no weapons — no Kiev regime.'"

**Killnet's New Besties: Real or Imaginary?**

When it comes to the claimed partnerships, Anonymous Sudan is an emergent DDoS player that targeted entities in France, Germany, the Netherlands, and Sweden earlier this year, ostensibly in retaliation for perceived anti-Islamic activity in each of these countries. However, despite this religious persona, Trustwave researchers in the past have tied Anonymous Sudan to Killnet, noting it could simply be a masked subsidiary.

As for ReVIL, which imploded in 2022 after a Russian takedown, evidence of a re-emergence is one day old: On June 15, a Telegram channel called, fittingly, "REvil," was created. It was used to circulate a shout-out ("Hello Killnet") that went on to be heavily re-posted in a Killnet-affiliated Telegram channel, according to ZeroFox.

"This is the only post in channel to date and no additional evidence substantiating the partnership has been observed," the researchers noted.

A previous whiff of ReVIL's resurrection came more than a year ago, when rumors surfaced that some members were regrouping — but nothing more came of it.

Killnet could be fabricating the ReVIL partnership to lend some heft and gravitas to its threats against some tough targets. While Killnet has successfully gone after big game before, such as the White House and SpaceX satellite comms in Ukraine, these had "limited impact, causing short service outages and disrupting access to information," ZeroFox researchers said. A ReVIL partnership that's more than a flight of fancy "would allow them greater access to vulnerability exploitation, network intrusion, and data exfiltration."

Absent that, "the \[threatened attacks\], if legitimate, are unlikely to result in mass or prolonged outages to Western banking infrastructure, despite the newly claimed relationships with REvil and Anonymous Sudan," they added.

Even so, the publicity push around a supposedly imminent financial catastrophe could be simply an effort to harry Western governments and financial institutions, ZeroFox concluded — or, given Killnet's penchant for shenanigans, just an attempt to garner attention and notoriety.

Killnet Threatens Imminent SWIFT, World Banking Attacks

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions.

TP-Link Archer AX10(EU)\_V1.2\_230220 Buffer Overflow

Posted Jun 16, 2023

Authored by Giuseppe Compare

TP-Link Archer version AX10(EU)\_V1.2\_230220 suffers from a buffer overflow vulnerability.

tags | advisory, overflow

Download | Favorite | View

QuickJob Portal 6.1 Cross Site Scripting

Posted Jun 16, 2023

Authored by CraCkEr

QuickJob Portal version 6.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

Download | Favorite | View

Quicklancer Freelance Marketplace 2.4 Cross Site Scripting

Posted Jun 16, 2023

Authored by CraCkEr

Quicklancer Freelance Marketplace version 2.4 suffers from a cross site scripting vulnerability.

tags | exploit, xss

Download | Favorite | View

QuickHomes Real Estate CMS 1.3 Cross Site Scripting

Posted Jun 16, 2023

Authored by CraCkEr

QuickHomes Real Estate CMS version 1.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

Download | Favorite | View

Debian Security Advisory 5431-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5431-1 - Xu Biang discovered that missing input sanitizing in Sofia-SIP, a SIP User-Agent library could result in denial of service.

tags | advisory, denial of service

systems | linux, debian

Download | Favorite | View

Ubuntu Security Notice USN-6156-2

Posted Jun 16, 2023

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6156-2 - USN-6156-1 fixed a vulnerability in SSSD. In certain environments, not all packages ended up being upgraded at the same time, resulting in authentication failures when the PAM module was being used. This update fixes the problem. It was discovered that SSSD incorrectly sanitized certificate data used in LDAP filters. When using this issue in combination with FreeIPA, a remote attacker could possibly use this issue to escalate privileges.

tags | advisory, remote

systems | linux, ubuntu

Download | Favorite | View

Debian Security Advisory 5430-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5430-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of sandbox restrictions.

tags | advisory, java, denial of service, vulnerability, info disclosure

systems | linux, debian

Download | Favorite | View

Red Hat Security Advisory 2023-3644-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

tags | advisory

systems | linux, redhat

Download | Favorite | View

Red Hat Security Advisory 2023-3645-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.

tags | advisory, denial of service

systems | linux, redhat

Download | Favorite | View

Ubuntu Security Notice USN-6169-1

Posted Jun 16, 2023

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6169-1 - It was discovered that GNU SASL's GSSAPI server could make an out-of-bounds reads if given specially crafted GSS-API authentication data. A remote attacker could possibly use this issue to cause a denial of service or to expose sensitive information.

tags | advisory, remote, denial of service

systems | linux, ubuntu

Download | Favorite | View

Red Hat Security Advisory 2023-3641-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3641-01 - This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. Issues addressed include denial of service, deserialization, resource exhaustion, and server-side request forgery vulnerabilities.

tags | advisory, denial of service, vulnerability

systems | linux, redhat

Download | Favorite | View

Red Hat Security Advisory 2023-3642-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3642-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.

tags | advisory, denial of service, spoof, vulnerability, xss

systems | linux, redhat

Download | Favorite | View

Debian Security Advisory 5429-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5429-1 - Multiple vulnerabilities have been discovered in Wireshark, a network protocol analyzer which could result in denial of service or the execution of arbitrary code.

tags | advisory, denial of service, arbitrary, vulnerability, protocol

systems | linux, debian

Download | Favorite | View

Ubuntu Security Notice USN-6168-1

Posted Jun 16, 2023

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6168-1 - Gregory James Duck discovered that libx11 incorrectly handled certain Request, Event, or Error IDs. If a user were tricked into connecting to a malicious X Server, a remote attacker could possibly use this issue to cause libx11 to crash, resulting in a denial of service.

tags | advisory, remote, denial of service

systems | linux, ubuntu

Download | Favorite | View

Debian Security Advisory 5428-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5428-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

tags | advisory, denial of service, arbitrary, info disclosure

systems | linux, debian

Download | Favorite | View

Red Hat Security Advisory 2023-3622-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3622-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, denial of service, information leakage, insecure permissions, and resource exhaustion vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution, csrf

systems | linux, redhat

Download | Favorite | View

Red Hat Security Advisory 2023-3624-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

tags | advisory, web, denial of service

systems | linux, redhat

Download | Favorite | View

Red Hat Security Advisory 2023-3623-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3623-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. These new packages include numerous enhancements and bug fixes. Issues addressed include cross site scripting and denial of service vulnerabilities.

tags | advisory, denial of service, vulnerability, xss

systems | linux, redhat

Download | Favorite | View

Ubuntu Security Notice USN-6155-2

Posted Jun 16, 2023

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6155-2 - USN-6155-1 fixed a vulnerability in Requests. This update provides the corresponding update for Ubuntu 16.04 ESM and 18.04 ESM. Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly leaked Proxy-Authorization headers. A remote attacker could possibly use this issue to obtain sensitive information.

tags | advisory, remote

systems | linux, ubuntu

Download | Favorite | View

Suricata IDPE 6.0.13

Posted Jun 16, 2023

Site suricata.io

Suricata is a network intrusion detection and prevention engine developed by the Open Information Security Foundation and its supporting vendors. The engine is multi-threaded and has native IPv6 support. It's capable of loading existing Snort rules and signatures and supports the Barnyard and Barnyard2 tools.

Changes: 1 security fix, 11 bug fixes, 1 task, and 2 documentation updates.

tags | tool, intrusion detection

systems | unix

Download | Favorite | View

Debian Security Advisory 5427-1

Posted Jun 16, 2023

Authored by Debian | Site debian.org

Debian Linux Security Advisory 5427-1 - An anonymous researcher discovered that processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited. An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

tags | advisory, web, arbitrary, code execution

systems | linux, debian, apple

Download | Favorite | View

Red Hat Security Advisory 2023-3610-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3610-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, memory exhaustion, and resource exhaustion vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution, xss, csrf

systems | linux, redhat

Download | Favorite | View

Textpattern CMS 4.8.8 Command Injection

Posted Jun 16, 2023

Authored by tmrswrr

Textpattern CMS version 4.8.8 suffers from a command injection vulnerability.

tags | exploit

Download | Favorite | View

WordPress Abandoned Cart Lite For WooCommerce 5.14.2 Authentication Bypass

Posted Jun 16, 2023

Authored by ayantaker | Site github.com

WordPress Abandoned Cart Lite for WooCommerce plugin versions 5.14.2 and below proof of concept authentication bypass exploit.

tags | exploit, proof of concept, bypass

Download | Favorite | View

Red Hat Security Advisory 2023-3609-01

Posted Jun 16, 2023

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-3609-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

tags | advisory

systems | linux, redhat

Download | Favorite | View

CVE-2023-30223: Packet Storm

A lack of exception handling in the Volkswagen Discover Media Infotainment System Software Version 0876 allows attackers to cause a Denial of Service (DoS) via supplying crafted media files when connecting a device to the vehicle's USB plug and play feature.

**Volkswagen Jetta (2021) Infotainment System Vulnerability Report**

I reported a vulnerability to "https://www.volkswagen.de/de/mehr/rechtliches/kontakt-cyber-security.html"

**Time and date of discovery**

2023.02.28 (Korea Standard Time)

**Target****Product Model**

Volkswagen Jetta 2021

**Version**

It was the latest version as of February 28, 2023.

 

Discover Media(infotainment system of VW) software : 0876  
Media codec : 1.2.0

**Technical Description**

A vulnerability exists in Volkswagen's Infotainment System(Discover Media). I attempted media file fuzzing to find vulnerabilities in Volkswagen's infotainment system.

To automate the fuzzing process(Because transferring files to a USB stick is time consuming), I connected my laptop to Volkswagen's USB port and generated numerous media files with a fuzzer. I then continuously performed real-time media fuzzing by mounting and unmounting the files. I conducted fuzzing on various types of media files such as WAV, MP3, WMA, and OGG, and discovered that the vulnerability existed in a malicious (mutated) OGG file. Since Volkswagen's media player was more robust than expected, I created a separate media file fuzzer specifically for Volkswagen's infotainment system. I fuzzed more than 20,000 media files per day, and discovered the vulnerability in the OGG file after one day of fuzzing.

**Result**

Volkswagen's infotainment system has a USB Plug and Play feature, which means that media files stored on a USB drive will automatically play when inserted into the system. I identified a media file through fuzzing that could trigger vulnerabilities in the infotainment system, and proved this by using a USB stick. As a result, Volkswagen's infotainment system did not turn on again after being turned off.

**The issue persisted even after turning off and on the engine(Even removing the USB drive did not resolve the issue with the infotainment system not turning on again.), and manual reboot of the infotainment system was required to resolve the issue.**

**DEMO #1**PoC.of.VW.1.1.1.mp4**DEMO #2**1.Volkswagen\_USBstick.mp4**Impact**

When a USB is inserted into the port, the media file is automatically played and the Infotainment System is forcibly terminated. This can be a problem with availability. Furthermore, if the crash is caused by a memory-related bug (such as Overflow, OOB, Over Read/Write), it can lead to serious security issues such as Remote Code Execution. Therefore, if you can analyze the crash of the media player, you may be able to identify the cause of the vulnerability.

**Volkswagen's response**

Volkswagen acknowledged the report as a vulnerability

Tag

#dos