Security Advisory 2020-11-XX-2 - libuci import heap use after free (CVE-2020-XXXX)

Petr Štetiar ynezz at true.cz
Thu Dec 10 03:57:10 EST 2020


Security Advisory 2020-12-09-2 - libuci import heap use after free (CVE-2020-28951)


DESCRIPTION

Possibly exploitable vulnerability was found in Unified Config Interface (UCI)
library named libuci, specifically in uci_import() C API function.

CVE-2020-28951[1] has been assigned to this issue, you can find the latest
version of this advisory on our wiki[2].


REQUIREMENTS

In order to exploit this vulnerability a malicious attacker would need to
provide specially crafted config file to uci_import() C API function. For
example, this is possible with UCI CLI by following shell command:

    uci import -f malicious.config


MITIGATIONS

To fix this issue, update the affected libuci package using the command below.

   opkg update; opkg upgrade libuci

The fix is contained in the following and later versions:

  - OpenWrt 19.07:  19.07.5    (https://git.openwrt.org/78c4c04dd7979a7f6d3cadeb1783b6c38d63b575)
  - OpenWrt 18.06:  18.06.9    (https://git.openwrt.org/5625f5bc36954d644cb80adf8de47854c65d91c3)
  - OpenWrt master: 2020-10-27 (https://git.openwrt.org/095cc2b7454addeaf25b05aff194f287783219ed)


AFFECTED VERSIONS

To our knowledge, OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to
19.07.4 are affected.  The fixed packages will be integrated in the upcoming
OpenWrt 18.06.9 and OpenWrt 19.07.5 releases.  Older versions of OpenWrt (e.g.
OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.


CREDITS

This issue was identified by Jeremy Galindo, fixed by Petr Štetiar and Hauke
Mehrtens.


REFERENCES

1. https://nvd.nist.gov/vuln/detail/CVE-2020-28951
2. https://openwrt.org/advisory/2020-12-09-2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20201210/9af9eba1/attachment.sig>


More information about the openwrt-devel mailing list