Stack Overflow in VTPM Protobuf Server (EVE)
CVE-2023-43632 Published on September 21, 2023
Freely Allocate Buffer on The Stack With Data From Socket
As noted in the VTPM.md file in the eve documentation, VTPM is a server listening on port
8877 in EVE, exposing limited functionality of the TPM to the clients.
VTPM allows clients to
execute tpm2-tools binaries from a list of hardcoded options
The communication with this server is done using protobuf, and the data is comprised of 2
parts:
1. Header
2. Data
When a connection is made, the server is waiting for 4 bytes of data, which will be the header,
and these 4 bytes would be parsed as uint32 size of the actual data to come.
Then, in the function handleRequest this size is then used in order to allocate a payload on
the stack for the incoming data.
As this payload is allocated on the stack, this will allow overflowing the stack size allocated for
the relevant process with freely controlled data.
* An attacker can crash the system.
* An attacker can gain control over the system, specifically on the vtpm_server process
which has very high privileges.
Vulnerability Analysis
Weakness Type
What is a Stack Exhaustion Vulnerability?
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CVE-2023-43632 has been classified to as a Stack Exhaustion vulnerability or weakness.
Products Associated with CVE-2023-43632
Want to know whenever a new CVE is published for Linux Foundation Edge Virtualization Engine? stack.watch will email you.
Affected Versions
LF-Edge, Zededa EVE OS:- Version 3.0.0 and below 9.5.0 is affected.
- Version 3.0.0 and below 9.5.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.