gsd-2023-4039
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
A failure in the -fstack-protector feature in GCC-based toolchains
that target AArch64 allows an attacker to exploit an existing buffer
overflow in dynamically-sized local variables in your application
without this being detected. This stack-protector failure only applies
to C99-style dynamically-sized local variables or those created using
alloca(). The stack-protector operates as intended for statically-sized
local variables.
The default behavior when the stack-protector
detects an overflow is to terminate your application, resulting in
controlled loss of availability. An attacker who can exploit a buffer
overflow without triggering the stack-protector might be able to change
program flow control to cause an uncontrolled loss of availability or to
go further and affect confidentiality or integrity.
Aliases
Aliases
{ GSD: { alias: "CVE-2023-4039", id: "GSD-2023-4039", }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2023-4039", ], details: "\n\nA failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity.\n\n\n\n\n\n", id: "GSD-2023-4039", modified: "2023-12-13T01:20:27.430843Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "arm-security@arm.com", ID: "CVE-2023-4039", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Arm GNU Toolchain", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "affected", versions: [ { status: "affected", version: "All versions where option -fstack-protector is used", }, ], }, }, ], }, }, ], }, vendor_name: "Arm Ltd", }, { product: { product_data: [ { product_name: "GCC", version: { version_data: [ { version_affected: "=", version_value: "All versions of GCC that target AArch64 when option -fstack-protector is used", }, ], }, }, ], }, vendor_name: "GNU", }, ], }, }, configuration: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\nThe specific conditions where the stack-protector fails to give the desired level of protection are when:\n\n\n<ul>\n <li>using GCC (all unpatched versions) targeting AArch64</li>\n <li>and when the -fstack-protector option is used</li>\n <li>and when the program uses C99-style dynamically-sized local variables or alloca()</li>\n</ul>\n<p>And to be exploitable there must also be a prior vulnerability in the\n program such that an attacker can cause a buffer overflow in these \nlocal variables that overwrites saved register values in the stack.</p>\n\n<br>", }, ], value: "The specific conditions where the stack-protector fails to give the desired level of protection are when:\n\n\n\n * using GCC (all unpatched versions) targeting AArch64\n\n * and when the -fstack-protector option is used\n\n * and when the program uses C99-style dynamically-sized local variables or alloca()\n\n\n\n\nAnd to be exploitable there must also be a prior vulnerability in the\n program such that an attacker can cause a buffer overflow in these \nlocal variables that overwrites saved register values in the stack.\n\n\n\n\n", }, ], credits: [ { lang: "en", value: "Tom Hebb from Meta Red Team X and Maria Markstedter from Azeria Labs", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", }, ], }, generator: { engine: "Vulnogram 0.1.0-dev", }, impact: { cvss: [ { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, ], }, problemtype: { problemtype_data: [ { description: [ { cweId: "CWE-693", lang: "eng", value: "CWE-693 Protection Mechanism Failure", }, ], }, ], }, references: { reference_data: [ { name: "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", refsource: "MISC", url: "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", }, { name: "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", refsource: "MISC", url: "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", }, ], }, solution: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\nRecompile vulnerable code using an updated toolchain.\n\n<br>", }, ], value: "Recompile vulnerable code using an updated toolchain.\n\n\n", }, ], source: { discovery: "EXTERNAL", }, }, "nvd.nist.gov": { cve: { configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:gnu:gcc:*:*:*:*:*:*:arm64:*", matchCriteriaId: "C8373A25-594D-4F3F-981B-0D02056992FC", versionEndExcluding: "2023-09-12", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], descriptions: [ { lang: "en", value: "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", }, { lang: "es", value: "Una falla en la función -fstack-protector en cadenas de herramientas basadas en GCC que apuntan a AArch64 permite a un atacante explotar un Desbordamiento de Búfer existente en variables locales de tamaño dinámico en su aplicación sin que esto sea detectado. Esta falla del protector de pila solo se aplica a variables locales de tamaño dinámico estilo C99 o aquellas creadas usando alloca(). El protector de pila funciona según lo previsto para variables locales de tamaño estático. El comportamiento predeterminado cuando el protector de pila detecta un desbordamiento es finalizar su aplicación, lo que resulta en una pérdida controlada de disponibilidad. Un atacante que pueda aprovechar un Desbordamiento del Búfer sin activar el protector de pila podría cambiar el control de flujo del programa para provocar una pérdida incontrolada de disponibilidad o ir más allá y afectar la confidencialidad o la integridad.", }, ], id: "CVE-2023-4039", lastModified: "2024-02-19T23:15:07.680", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 2.5, source: "arm-security@arm.com", type: "Secondary", }, ], }, published: "2023-09-13T09:15:15.690", references: [ { source: "arm-security@arm.com", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", }, { source: "arm-security@arm.com", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", }, ], sourceIdentifier: "arm-security@arm.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-693", }, ], source: "arm-security@arm.com", type: "Secondary", }, ], }, }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.