Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2023-24090

Description

The bridge2 process has a memory corruption vulnerability. By sending crafted packets, remote users who don't need to be authenticated can crash bridge2 processes due to invalid memory accesses.

# cat /rw/logs/backtrace.log 
2023.01.09-11:34:17.54@0: /nova/bin/bridge2
2023.01.09-11:34:17.54@0: --- signal=11 --------------------------------------------
2023.01.09-11:34:17.54@0: 
2023.01.09-11:34:17.54@0: eip=0x776e2147 eflags=0x00010216
2023.01.09-11:34:17.54@0: edi=0x0809ee20 esi=0x7ffd8624 ebp=0x7ffd83c8 esp=0x7ffd83b0
2023.01.09-11:34:17.54@0: eax=0x08ff0003 ebx=0x7770bf04 ecx=0x080bfc90 edx=0x080c2778
2023.01.09-11:34:17.54@0: 
2023.01.09-11:34:17.54@0: maps:
2023.01.09-11:34:17.54@0: 08048000-08064000 r-xp 00000000 00:0b 1137       /nova/bin/bridge2
2023.01.09-11:34:17.54@0: 77653000-77688000 r-xp 00000000 00:0b 1009       /lib/libuClibc-0.9.33.2.so
2023.01.09-11:34:17.54@0: 7768c000-776a6000 r-xp 00000000 00:0b 1005       /lib/libgcc_s.so.1
2023.01.09-11:34:17.54@0: 776a7000-776b6000 r-xp 00000000 00:0b 989        /lib/libuc++.so
2023.01.09-11:34:17.54@0: 776b7000-776bf000 r-xp 00000000 00:0b 995        /lib/libubox.so
2023.01.09-11:34:17.54@0: 776c0000-7770b000 r-xp 00000000 00:0b 991        /lib/libumsg.so
2023.01.09-11:34:17.54@0: 77711000-77718000 r-xp 00000000 00:0b 1003       /lib/ld-uClibc-0.9.33.2.so
2023.01.09-11:34:17.54@0: 
2023.01.09-11:34:17.54@0: stack: 0x7ffd9000 - 0x7ffd83b0 
2023.01.09-11:34:17.54@0: 78 27 0c 08 90 fc 0b 08 00 00 00 00 61 e2 00 00 04 bf 70 77 24 86 fd 7f 08 84 fd 7f aa 1a 6e 77 
2023.01.09-11:34:17.54@0: 20 ee 09 08 20 ee 09 08 62 e2 00 00 62 e2 00 00 24 86 fd 7f 01 00 00 00 08 84 fd 7f 62 e2 00 00 
2023.01.09-11:34:17.54@0: 
2023.01.09-11:34:17.54@0: code: 0x776e2147
2023.01.09-11:34:17.54@0: ff 10 83 c4 10 c9 c3 55 89 e5 56 53 e8 19 6b ff 
2023.01.09-11:34:17.54@0: 
2023.01.09-11:34:17.54@0: backtrace: 0x776e2147 0x776e1aaa 0x776e1bd6 0x776e1ca3 0x776e8745 0x0804cdc1 0x77681fcb 0x0804cdf9 
2023.01.09-11:34:17.54@0: 
2023.01.09-11:34:17.54@0: 
2023.01.09-11:34:17.54@0: logtail 1024 begin:
2023.01.09-11:34:17.54@0: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2023.01.09-11:34:17.54@0: 2023.01.09-11:29:36.36@0: MESH: (29836) rtActivate AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2023.01.09-11:34:17.54@0: 2023.01.09-11:29:36.36@0: MESH: (29836) mioFdbAdd: 00:00:00:00:00:00: DST_LOCAL
2023.01.09-11:34:17.54@0: 
2023.01.09-11:34:17.54@0: logtail end

Affected Version

This vulnerability was initially found in stable 6.40.5.

Timeline

  • 2023/1/12 - report the vulnerability to the vendor
  • 2023/1/23 - vendor confirms the vulnerability
  • 2023/2/23 - CVE has been reserved

Thanks

Thanks to -DL who has been helping me behind the scenes.