Today, Talos is disclosing the discovery of four vulnerabilities which have been identified in HDF5. HDF5 is a file format that is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data between applications. In the GIS industry it used via libraries such as GDAL, OGR, or as part of software like ArcGIS. HDF5 is maintained by The HDF Group, a non-profit organization which Talos coordinated with to ensure these vulnerabilities were disclosed in a responsible manner. These vulnerabilities were patched in the HDF5 1.8.18 release.
The following is a list of the vulnerabilities that have been identified and patched:
- CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability
- CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability
- CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability
- CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability
TALOS-2016-0176A vulnerability exists in the way HDF fails to check the number of dimensions for an array read to verify the file is within the bounds of the space allocated for it. When reading elements from the file into this array, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution in the context of the application using the library.
TALOS-2016-0177A buffer overflow vulnerability exists when the library is decoding data out of a dataset encoded with H5Z_NBIT. When calculating the precision of an encoded BCD number, the library will fail a bounds check leading the library to calculate an index outside the bounds of the space allocated for the BCD number. The library will then write outside the bounds of the buffer leading to a heap-based buffer overflow and possible code execution.
TALOS-2016-0178A vulnerability exists due to the library's failure to check if specific message types support a particular flag. When this flag is set, the library will cast the structure to an alternate structure and then assign to fields that aren't supported by the message type. The message type is not able to support this flag and the library will write outside the bounds of the heap buffer, which can lead to code execution.
TALOS-2016-0179This report details a heap based buffer overflow which manifests in the the H5O_dtype_decode_helper routine when parsing an HDF file. Due to an inadequate handling of certain values in memory while the file is being parsed, a user who opens a specifically crafted HDF file could exploit this flaw and achieve code execution in the context of the application using the library.
For the full details of each of these vulnerabilities, please visit our vulnerability reports here:
CoverageTalos has released rules that detect attempts to exploit these vulnerabilities to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.
Snort Rules: 40791-40794, 40801-40810