Wednesday, September 13, 2017

Vulnerability Spotlight: LibOFX Tag Parsing Code Execution Vulnerability

This vulnerability was discovered by Cory Duplantis of Talos

Update 9/20/2017: A patch is now available to fix this issue.

Overview


LibOFX is an open source implementation of OFX (Open Financial Exchange) an open format used by financial institutions to share financial data with clients. As an implementation of a complex standard, this library is used by financial software such as GnuCash. Talos has discovered an exploitable buffer overflow in the implementation: a specially crafted OFX file can cause a write out of bounds resulting in code execution. This vulnerability is not currently patched and Talos has not received a response from the developers within the period specified by the Vendor Vulnerability Reporting and Disclosure Policy.



TALOS-2017-0317 (CVE-2017-2816) - LibOFX Tag Parsing Code Execution Vulnerability


Ironically, the vulnerability is located in the way that tags are parsed by the sanitize function. In the function, the tag's names are stored locally on the stack, a too long tag name results in a stack overflow.

More details can be found in the vulnerability reports:TALOS-2017-0317

Tested Version: LibOFX 0.9.11

Discussion


As an open source library, LibOFX may be used in various financial applications. This vulnerability presents many attractive features for attackers. User interaction is not necessarily required to trigger the vulnerability, and any systems presenting with this vulnerability are likely to contain valuable financial information which can be stolen to conduct identity theft, fraud, or easily sold on to other criminals.

Organisations may not be aware of the presence of this library being used to parse OFX files in third party software, or in software that has been developed as part of an in-house system. Keeping track of open source libraries used within in-house projects, and quickly applying patches supplied by third party vendors is vital to ensure that vulnerabilities such as these, which are particularly enticing to attackers, are properly managed.

Coverage


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 42277-42278

No comments:

Post a Comment