admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 01:02:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2024/CVE-2024-528xx/CVE-2024-52811.json
cad-safe-bot e6cbafdc40 Auto-Update: 2024-12-08T03:00:18.988682+00:00
2024-12-08 03:06:42 +00:00

68 lines
4.4 KiB
JSON
Raw Blame History

{
"id": "CVE-2024-52811",
"sourceIdentifier": "security-advisories@github.com",
"published": "2024-11-25T19:15:11.567",
"lastModified": "2024-11-25T19:15:11.567",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ngtcp2 project is an effort to implement IETF QUIC protocol in C. In affected versions acks are not validated before being written to the qlog leading to a buffer overflow. In `ngtcp2_conn::conn_recv_pkt` for an ACK, there was new logic that got added to skip `conn_recv_ack` if an ack has already been processed in the payload. However, this causes us to also skip `ngtcp2_pkt_validate_ack`. The ack which was skipped still got written to qlog. The bug occurs in `ngtcp2_qlog::write_ack_frame`. It is now possible to reach this code with an invalid ack, suppose `largest_ack=0` and `first_ack_range=15`. Subtracting `largest_ack - first_ack_range` will lead to an integer underflow which is 20 chars long. However, the ngtcp2 qlog code assumes the number written is a signed integer and only accounts for 19 characters of overhead (see `NGTCP2_QLOG_ACK_FRAME_RANGE_OVERHEAD`). Therefore, we overwrite the buffer causing a heap overflow. This is high priority and could potentially impact many users if they enable qlog. qlog is disabled by default. Due to its overhead, it is most likely used for debugging purpose, but the actual use is unknown. ngtcp2 v1.9.1 fixes the bug and users are advised to upgrade. Users unable to upgrade should not turn on qlog."
},
{
"lang": "es",
"value": "El proyecto ngtcp2 es un esfuerzo por implementar el protocolo IETF QUIC en C. En las versiones afectadas, los acks no se validan antes de escribirse en el qlog, lo que genera un desbordamiento de b\u00fafer. En `ngtcp2_conn::conn_recv_pkt` para un ACK, se agreg\u00f3 una nueva l\u00f3gica para omitir `conn_recv_ack` si ya se proces\u00f3 un ack en el payload. Sin embargo, esto hace que tambi\u00e9n omitamos `ngtcp2_pkt_validate_ack`. El ack que se omiti\u00f3 se escribi\u00f3 en qlog. El error ocurre en `ngtcp2_qlog::write_ack_frame`. Ahora es posible acceder a este c\u00f3digo con un ack no v\u00e1lido, supongamos que `largest_ack=0` y `first_ack_range=15`. Restar `largest_ack - first_ack_range` generar\u00e1 un desbordamiento de enteros de 20 caracteres. Sin embargo, el c\u00f3digo qlog de ngtcp2 asume que el n\u00famero escrito es un entero con signo y solo tiene en cuenta 19 caracteres de sobrecarga (consulte `NGTCP2_QLOG_ACK_FRAME_RANGE_OVERHEAD`). Por lo tanto, sobrescribimos el b\u00fafer y provocamos un desbordamiento del mont\u00f3n. Esto es de alta prioridad y podr\u00eda afectar potencialmente a muchos usuarios si habilitan qlog. qlog est\u00e1 deshabilitado de forma predeterminada. Debido a su sobrecarga, lo m\u00e1s probable es que se use con fines de depuraci\u00f3n, pero se desconoce su uso real. ngtcp2 v1.9.1 corrige el error y se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar no deben activar qlog."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "HIGH"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"description": [
{
"lang": "en",
"value": "CWE-670"
}
]
}
],
"references": [
{
"url": "https://github.com/ngtcp2/ngtcp2/commit/44b662bd139c23fee1703bf256c13349e2e624a1",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/ngtcp2/ngtcp2/commit/e550c1a414318d0f3f01fca1a621ae0b0428ca15",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-4gmv-gf46-r4g5",
"source": "security-advisories@github.com"
}
]
}
Reference in New Issue View Git Blame Copy Permalink