Hi, The following vulnerabilities were published for ofono. CVE-2024-7537[0]: | oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure | Vulnerability. This vulnerability allows local attackers to disclose | sensitive information on affected installations of oFono. | Authentication is not required to exploit this vulnerability. The | specific flaw exists within the processing of SMS message lists. The | issue results from the lack of proper validation of user-supplied | data, which can result in a read past the end of an allocated | buffer. An attacker can leverage this in conjunction with other | vulnerabilities to execute arbitrary code in the context of root. | Was ZDI-CAN-23157. https://www.zerodayinitiative.com/advisories/ZDI-24-1077/ CVE-2024-7538[1]: | oFono CUSD AT Command Stack-based Buffer Overflow Code Execution | Vulnerability. This vulnerability allows local attackers to execute | arbitrary code on affected installations of oFono. An attacker must | first obtain the ability to execute code on the target modem in | order to exploit this vulnerability. The specific flaw exists | within the parsing of responses from AT Commands. The issue results | from the lack of proper validation of the length of user-supplied | data prior to copying it to a stack-based buffer. An attacker can | leverage this vulnerability to execute code in the context of root. | Was ZDI-CAN-23190. https://www.zerodayinitiative.com/advisories/ZDI-24-1078/ CVE-2024-7539[2]: | oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability. | This vulnerability allows local attackers to execute arbitrary code | on affected installations of oFono. An attacker must first obtain | the ability to execute code on the target modem in order to exploit | this vulnerability. The specific flaw exists within the parsing of | responses from AT+CUSD commands. The issue results from the lack of | proper validation of the length of user-supplied data prior to | copying it to a stack-based buffer. An attacker can leverage this | vulnerability to execute code in the context of root. Was ZDI- | CAN-23195. https://www.zerodayinitiative.com/advisories/ZDI-24-1079/ CVE-2024-7540[3]: | oFono AT CMGL Command Uninitialized Variable Information Disclosure | Vulnerability. This vulnerability allows local attackers to disclose | sensitive information on affected installations of oFono. An | attacker must first obtain the ability to execute code on the target | modem in order to exploit this vulnerability. The specific flaw | exists within the parsing of responses from AT+CMGL commands. The | issue results from the lack of proper initialization of memory prior | to accessing it. An attacker can leverage this in conjunction with | other vulnerabilities to execute arbitrary code in the context of | root. Was ZDI-CAN-23307. https://www.zerodayinitiative.com/advisories/ZDI-24-1080/ CVE-2024-7541[4]: | oFono AT CMT Command Uninitialized Variable Information Disclosure | Vulnerability. This vulnerability allows local attackers to disclose | sensitive information on affected installations of oFono. An | attacker must first obtain the ability to execute code on the target | modem in order to exploit this vulnerability. The specific flaw | exists within the parsing of responses from AT+CMT commands. The | issue results from the lack of proper initialization of memory prior | to accessing it. An attacker can leverage this in conjunction with | other vulnerabilities to execute arbitrary code in the context of | root. Was ZDI-CAN-23308. https://www.zerodayinitiative.com/advisories/ZDI-24-1081/ CVE-2024-7542[5]: | oFono AT CMGR Command Uninitialized Variable Information Disclosure | Vulnerability. This vulnerability allows local attackers to disclose | sensitive information on affected installations of oFono. An | attacker must first obtain the ability to execute code on the target | modem in order to exploit this vulnerability. The specific flaw | exists within the parsing of responses from AT+CMGR commands. The | issue results from the lack of proper initialization of memory prior | to accessing it. An attacker can leverage this in conjunction with | other vulnerabilities to execute arbitrary code in the context of | root. Was ZDI-CAN-23309. https://www.zerodayinitiative.com/advisories/ZDI-24-1082/ CVE-2024-7543[6]: | oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation | Vulnerability. This vulnerability allows local attackers to execute | arbitrary code on affected installations of oFono. An attacker must | first obtain the ability to execute code on the target modem in | order to exploit this vulnerability. The specific flaw exists | within the parsing of STK command PDUs. The issue results from the | lack of proper validation of the length of user-supplied data prior | to copying it to a heap-based buffer. An attacker can leverage this | vulnerability to execute code in the context of the service account. | Was ZDI-CAN-23456. https://www.zerodayinitiative.com/advisories/ZDI-24-1083/ CVE-2024-7544[7]: | oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation | Vulnerability. This vulnerability allows local attackers to execute | arbitrary code on affected installations of oFono. An attacker must | first obtain the ability to execute code on the target modem in | order to exploit this vulnerability. The specific flaw exists | within the parsing of STK command PDUs. The issue results from the | lack of proper validation of the length of user-supplied data prior | to copying it to a heap-based buffer. An attacker can leverage this | vulnerability to execute code in the context of the service account. | Was ZDI-CAN-23457. https://www.zerodayinitiative.com/advisories/ZDI-24-1084/ CVE-2024-7545[8]: | oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation | Vulnerability. This vulnerability allows local attackers to execute | arbitrary code on affected installations of oFono. An attacker must | first obtain the ability to execute code on the target modem in | order to exploit this vulnerability. The specific flaw exists | within the parsing of STK command PDUs. The issue results from the | lack of proper validation of the length of user-supplied data prior | to copying it to a heap-based buffer. An attacker can leverage this | vulnerability to execute code in the context of the service account. | Was ZDI-CAN-23458. https://www.zerodayinitiative.com/advisories/ZDI-24-1085/ CVE-2024-7546[9]: | oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation | Vulnerability. This vulnerability allows local attackers to execute | arbitrary code on affected installations of oFono. An attacker must | first obtain the ability to execute code on the target modem in | order to exploit this vulnerability. The specific flaw exists | within the parsing of STK command PDUs. The issue results from the | lack of proper validation of the length of user-supplied data prior | to copying it to a heap-based buffer. An attacker can leverage this | vulnerability to execute code in the context of the service account. | Was ZDI-CAN-23459. https://www.zerodayinitiative.com/advisories/ZDI-24-1086/ CVE-2024-7547[10]: | oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation | Vulnerability. This vulnerability allows local attackers to execute | arbitrary code on affected installations of oFono. An attacker must | first obtain the ability to execute code on the target modem in | order to exploit this vulnerability. The specific flaw exists | within the parsing of SMS PDUs. The issue results from the lack of | proper validation of the length of user-supplied data prior to | copying it to a stack-based buffer. An attacker can leverage this | vulnerability to execute code in the context of the service account. | Was ZDI-CAN-23460. https://www.zerodayinitiative.com/advisories/ZDI-24-1087/ If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-7537 https://www.cve.org/CVERecord?id=CVE-2024-7537 [1] https://security-tracker.debian.org/tracker/CVE-2024-7538 https://www.cve.org/CVERecord?id=CVE-2024-7538 [2] https://security-tracker.debian.org/tracker/CVE-2024-7539 https://www.cve.org/CVERecord?id=CVE-2024-7539 [3] https://security-tracker.debian.org/tracker/CVE-2024-7540 https://www.cve.org/CVERecord?id=CVE-2024-7540 [4] https://security-tracker.debian.org/tracker/CVE-2024-7541 https://www.cve.org/CVERecord?id=CVE-2024-7541 [5] https://security-tracker.debian.org/tracker/CVE-2024-7542 https://www.cve.org/CVERecord?id=CVE-2024-7542 [6] https://security-tracker.debian.org/tracker/CVE-2024-7543 https://www.cve.org/CVERecord?id=CVE-2024-7543 [7] https://security-tracker.debian.org/tracker/CVE-2024-7544 https://www.cve.org/CVERecord?id=CVE-2024-7544 [8] https://security-tracker.debian.org/tracker/CVE-2024-7545 https://www.cve.org/CVERecord?id=CVE-2024-7545 [9] https://security-tracker.debian.org/tracker/CVE-2024-7546 https://www.cve.org/CVERecord?id=CVE-2024-7546 [10] https://security-tracker.debian.org/tracker/CVE-2024-7547 https://www.cve.org/CVERecord?id=CVE-2024-7547 Please adjust the affected versions in the BTS as needed.
Hi Moritz, hi all,
as already pre-discussed with Salvatore on IRC, I am herewith splitting
this bug into two.
A fix for the above CVE is currently work in progress. During last week,
we have received feedback from ZDI and they are reporting their findings
on CVE-2024-7537 to the ofono upstream custodians. Our original message
from a few months was missed by the security researchers, so Sicelo now
pinged them again and they responded immediately.
The CVE is hardware-specific (QMI chipsets by Qualcomm) and only
exploitable in conjunction with other exploitations. The CVEs of those
other exploitation pathways have been fix in ofono meanwhile.
So for the new bug cloned from #1078555, our suggestion is to reduce
severity to important (as not all Debian users are affected by it)
and an exploit is not so likely anymore.
Everything below here will remain in #1078555. As of now, all issues
except from CVE-2024-7538 are marked as resolved in Debian's security
tracker.
See: https://salsa.debian.org/telepathy-team/ofono/-/commit/f11771ba52b3597302d7f3472d96034ee4e17dba
(uploaded to Debian with ofono 2.14-1).
With this in mind, I'd like to see #1078555 closed after the factoring out.
@Debian sec team:
* Please provide feedback on the above.
* Please close #1078555 if you agree with my above reasonings.
* Please downgrade severity of the new #-2 bug if you agree
or follow-up on this mail.
I will also update the security-tracker database once the new bug number
of #-2 has arrived here.
Thanks,
Mike
(everything below here has been resolved)
Hi Moritz, hi all,
as already pre-discussed with Salvatore on IRC, I am herewith splitting
this bug into two.
A fix for the above CVE is currently work in progress. During last week,
we have received feedback from ZDI and they are reporting their findings
on CVE-2024-7537 to the ofono upstream custodians. Our original message
from a few months was missed by the security researchers, so Sicelo now
pinged them again and they responded immediately.
The CVE is hardware-specific (QMI chipsets by Qualcomm) and only
exploitable in conjunction with other exploitations. The CVEs of those
other exploitation pathways have been fix in ofono meanwhile.
So for the new bug cloned from #1078555, our suggestion is to reduce
severity to important (as not all Debian users are affected by it)
and an exploit is not so likely anymore.
Everything below here will remain in #1078555. As of now, all issues
except from CVE-2024-7538 are marked as resolved in Debian's security
tracker.
See: https://salsa.debian.org/telepathy-team/ofono/-/commit/f11771ba52b3597302d7f3472d96034ee4e17dba
(uploaded to Debian with ofono 2.14-1).
With this in mind, I'd like to see #1078555 closed after the factoring out.
@Debian sec team:
* Please provide feedback on the above.
* Please close #1078555 if you agree with my above reasonings.
* Please downgrade severity of the new #-2 bug if you agree
or follow-up on this mail.
I will also update the security-tracker database once the new bug number
of #-2 has arrived here.
Thanks,
Mike
(everything below here has been resolved)
The downgrade seems fine to me. For CVE-2024-7538 it seems likely, but
could you doublecheck with upstream just to be sure?
Cheers,
Moritz
The downgrade seems fine to me. For CVE-2024-7538 it seems likely, but
could you doublecheck with upstream just to be sure?
Cheers,
Moritz
Hi Moritz, has been resolved in ofono in Debian already). CVE-2024-7538: https://www.zerodayinitiative.com/advisories/ZDI-24-1078/ Alternate ID: ZDI-CAN-23190 Details: https://lore.kernel.org/ofono/BYAPR01MB3830CC0A4CA324706691F19380D62@BYAPR01MB3830.prod.exchangelabs.com/ CVE-2024-7539: https://www.zerodayinitiative.com/advisories/ZDI-24-1079/ Alternate ID: ZDI-CAN-23195 Details: https://lore.kernel.org/ofono/DM5PR0102MB3477EF696990E9AF78891586805F2@DM5PR0102MB3477.prod.exchangelabs.com/ So, #1078555 can be closed, imho. Furthermore, can you please downgrade #1099190 to important as discussed earlier? We have now also received the technical details for CVE-2024-7537, see here: https://lore.kernel.org/ofono/BYAPR01MB3830B08E8DB1D76A9A85B07680D62@BYAPR01MB3830.prod.exchangelabs.com/T/#u Thanks! Mike
close 1078555 2.14-1 thanks
H Mike, Thank you, I have updated the security tracker and BTS metadata (and the severity of #1099190). Regards, Salvatore