GNU binutils 2.29 libbfd elf32-i386.c File Descriptor integer overflow

Summaryinfo

A vulnerability was found in GNU binutils 2.29. It has been rated as critical. Affected by this issue is some unknown functionality of the file elf32-i386.c of the component libbfd. Performing a manipulation as part of File Descriptor results in integer overflow. This vulnerability was named CVE-2017-14745. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is advised.

Detailsinfo

A vulnerability classified as critical has been found in GNU binutils 2.29 (Programming Tool Software). This affects an unknown function of the file elf32-i386.c of the component libbfd. The manipulation as part of a File Descriptor leads to a integer overflow vulnerability. CWE is classifying the issue as CWE-190. The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.

The bug was discovered 09/18/2017. The weakness was presented 09/26/2017 as Bug 22148 as not defined bug report (Bugzilla). It is possible to read the advisory at sourceware.org. This vulnerability is uniquely identified as CVE-2017-14745 since 09/26/2017. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit.

The vulnerability was handled as a non-public zero-day exploit for at least 8 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 105225 (openSUSE Security Update : binutils (openSUSE-2017-1330)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 170509 (SUSE Enterprise Linux Security Update for binutils (SUSE-SU-2017:3170-1)).

Upgrading eliminates this vulnerability. A possible mitigation has been published 3 months after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (105225). See VDB-98231, VDB-98373, VDB-99063 and VDB-99064 for similar entries. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Programming Tool Software

Vendor

• GNU

Name

• binutils

Version

• 2.29

License

• open-source

Website

• Vendor: https://www.gnu.org/

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion