QNX Patches Multiple Vulnerabilities

Tuesday, July 9, 2013 @ 03:07 PM gHale


QNX produced a patch that mitigates a stack-based buffer overflow and a buffer copy without checking size of input vulnerabilities in its Phrelay, Phwindows, and Phditto products, according to a report on ICS-CERT.

Independent researcher Luigi Auriemma, who identified the vulnerabilities and released the information without coordination from the vendor or any other coordinating entity known to ICS-CERT, confirmed the patch resolves the reported vulnerabilities.

RELATED STORIES
Nano-10 PLC Denial of Service
Emergency Alert System Flaw
Alstom Grid S1 Vulnerability
Siemens Scalance Holes Filled

Proof-of-concept code released that takes advantage of these remotely exploitable vulnerabilities. Exploits that target these vulnerabilities are publicly available.
The following QNX products suffer from the issue:
• Phrelay (all versions),
• Phwindows (all versions), and
• Phditto (all versions).

Successful exploitation of these vulnerabilities could cause a denial-of-service (DoS) condition and may allow remote execution of arbitrary code.

QNX is a Canadian-based company that produces the QNX Operating System. The QNX Operating System is a general purpose operating system upon which many device manufacturers build their embedded systems. The embedded systems primarily see use in the U.S. but also worldwide. The embedded systems deploy across multiple sectors including critical manufacturing, transportation, healthcare, defense industrial base, communications, energy, nuclear facilities, and commercial facilities.

The bpe_decompress function used in all the client/server programs of this protocol can suffer from a stack-based buffer overflow caused by the lack of checks on the data sequentially stored in two buffers. By sending a specially crafted packet to Port 4868/UDP, an attacker could cause a DoS or possibly execute arbitrary code.

CVE-2013-2687 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

In addition, the program copies an input buffer to an output buffer without verifying the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. The buffer overflow affects Phrelay in the handling of the device file specified by the client as an existing session in Phrelay, Phditto, and Phwindows. By sending a specially crafted packet to Port 4868/UDP, an attacker could cause a DoS or possibly execute arbitrary code.

CVE-2013-2688 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.4.

An attacker with a low skill would be able to exploit these vulnerabilities.

QNX has released a patch that mitigates these vulnerabilities. The patch is compatible with targets that are running QNX Neutrino 6.5.0 or 6.5.0 SP1. The patch is available on the QNX Web site.



Leave a Reply

You must be logged in to post a comment.