Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 30 Jun 2013 16:27:55 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Dan Rosenberg <dan.j.rosenberg@...il.com>
Subject: Re: CVE request: Multiple issues in GNU ZRTPCPP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/29/2013 08:05 AM, Dan Rosenberg wrote:
> I'd like to request CVEs for multiple security vulnerabilities 
> discovered, reported, and published by Mark Dowd of Azimuth
> Security in GNU ZRTPCPP, an open-source ZRTP implementation used in
> a number of "secure phone" solutions:
> 
> http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html

I
> 
guess since this is on the front page of Slashdot I should get the
CVEs for it out =)


> 1. Remote heap overflow
> 
> A remote attacker can cause a heap-based buffer overflow by sending
> an overly-large ZRTP packet of several possible types, including a
> "Hello" packet. Successful exploitation would allow an attacker to
> execute arbitrary code in the context of a vulnerable application.

Please use CVE-2013-2221 for this issue.

> 2. Multiple remote stack overflows
> 
> A remote attacker can cause multiple stack-based buffer overflows
> by sending a malformed ZRTP Hello packet with an overly-large value
> in certain fields, including the count of public keys. Exploitation
> may be difficult due to the details of the layout of stack
> variables in memory, but successful exploitation would allow an
> attacker to execute arbitrary code in the context of a vulnerable
> application.

Please use CVE-2013-2222 for this issue.

> 3. Multiple remote heap memory disclosures
> 
> By sending a truncated ZRTP Ping packet, the response packet will 
> include several bytes of the affected application's heap memory due
> to a lack of validation on the incoming packet. This flaw could be
> exploited to gain knowledge about the heap state of an affected
> application to enable further attacks, or potentially reveal
> sensitive information stored on the heap.

Please use CVE-2013-2223 for this issue.

> The fixes for all of these flaws were included in the following
> commit: 
> https://github.com/wernerd/ZRTPCPP/commit/c8617100f359b217a974938c5539a1dd8a120b0e
>
> 
> 
> Regards, Dan
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR0LDrAAoJEBYNRVNeJnmTLXMP/1yzS8rnivHC8AbDHl9QVmSI
tX5qPZpnS9mnXgy7W11nChZFCsh2C6Q6DXge4kB5b45QHll4+hAyUueVWhS2WhAb
Qx0v1+NBHbSvp4sDlX5WzkoSY7a+ce94uPczdjvQK33Xoka5GTEFXt0rv59SSeSa
tskErR52E6nI+GQBhG1FJqzLxe3vsAr06Mc6EW1mbYyrXwNAJfA0QdVZPbNHMxeX
hqkRXBGsESLHI2JHNRJXcznd9nKVqWk2alkmsBDdVvbyvdtCNdMDCIg5lVjFszuR
GEdDLHH5enzXL3VQ3XhCzg+yJSNS2Z2T7Y2tNW354Qi80Rn1TRsSDCSaGvzK+gNU
42VRrSei6mHpRGiCWGwb9fE2E1YYfeodEAqD5Bf1Sbctuk6exHRRNmzTrgs2iJId
UVJY2AD79cNn318oL3Rj57XdswDvpNlpnGkzp8T/v4LT99VrhrRN/S4YZlp4j8l1
B71HYp7wNMKPiI+y4O2kltPXOts9Da2k8m/v0f7Rkm19+p0gbDX+ANgqmO92fGol
rQk+9rlNnvtyjfdvYo6XEWKdhhWYjobFZvQEzTARHJ7E288B/fHO4xOqy2s5dy8Q
RKAmPpoTCoB6JJRn96PH8ISasMu83msh0cm/6S9y63XVduFgeezK9ZjvWzJasQTe
n7gJWS9XcD/SjmSWQQkh
=qje4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.