CVE-2023-24090
Description
The bridge2 process has a memory corruption vulnerability. By sending crafted packets, remote users who don't need to be authenticated can crash bridge2 processes due to invalid memory accesses.
# cat /rw/logs/backtrace.log
2023.01.09-11:34:17.54@0: /nova/bin/bridge2
2023.01.09-11:34:17.54@0: --- signal=11 --------------------------------------------
2023.01.09-11:34:17.54@0:
2023.01.09-11:34:17.54@0: eip=0x776e2147 eflags=0x00010216
2023.01.09-11:34:17.54@0: edi=0x0809ee20 esi=0x7ffd8624 ebp=0x7ffd83c8 esp=0x7ffd83b0
2023.01.09-11:34:17.54@0: eax=0x08ff0003 ebx=0x7770bf04 ecx=0x080bfc90 edx=0x080c2778
2023.01.09-11:34:17.54@0:
2023.01.09-11:34:17.54@0: maps:
2023.01.09-11:34:17.54@0: 08048000-08064000 r-xp 00000000 00:0b 1137 /nova/bin/bridge2
2023.01.09-11:34:17.54@0: 77653000-77688000 r-xp 00000000 00:0b 1009 /lib/libuClibc-0.9.33.2.so
2023.01.09-11:34:17.54@0: 7768c000-776a6000 r-xp 00000000 00:0b 1005 /lib/libgcc_s.so.1
2023.01.09-11:34:17.54@0: 776a7000-776b6000 r-xp 00000000 00:0b 989 /lib/libuc++.so
2023.01.09-11:34:17.54@0: 776b7000-776bf000 r-xp 00000000 00:0b 995 /lib/libubox.so
2023.01.09-11:34:17.54@0: 776c0000-7770b000 r-xp 00000000 00:0b 991 /lib/libumsg.so
2023.01.09-11:34:17.54@0: 77711000-77718000 r-xp 00000000 00:0b 1003 /lib/ld-uClibc-0.9.33.2.so
2023.01.09-11:34:17.54@0:
2023.01.09-11:34:17.54@0: stack: 0x7ffd9000 - 0x7ffd83b0
2023.01.09-11:34:17.54@0: 78 27 0c 08 90 fc 0b 08 00 00 00 00 61 e2 00 00 04 bf 70 77 24 86 fd 7f 08 84 fd 7f aa 1a 6e 77
2023.01.09-11:34:17.54@0: 20 ee 09 08 20 ee 09 08 62 e2 00 00 62 e2 00 00 24 86 fd 7f 01 00 00 00 08 84 fd 7f 62 e2 00 00
2023.01.09-11:34:17.54@0:
2023.01.09-11:34:17.54@0: code: 0x776e2147
2023.01.09-11:34:17.54@0: ff 10 83 c4 10 c9 c3 55 89 e5 56 53 e8 19 6b ff
2023.01.09-11:34:17.54@0:
2023.01.09-11:34:17.54@0: backtrace: 0x776e2147 0x776e1aaa 0x776e1bd6 0x776e1ca3 0x776e8745 0x0804cdc1 0x77681fcb 0x0804cdf9
2023.01.09-11:34:17.54@0:
2023.01.09-11:34:17.54@0:
2023.01.09-11:34:17.54@0: logtail 1024 begin:
2023.01.09-11:34:17.54@0: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2023.01.09-11:34:17.54@0: 2023.01.09-11:29:36.36@0: MESH: (29836) rtActivate AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2023.01.09-11:34:17.54@0: 2023.01.09-11:29:36.36@0: MESH: (29836) mioFdbAdd: 00:00:00:00:00:00: DST_LOCAL
2023.01.09-11:34:17.54@0:
2023.01.09-11:34:17.54@0: logtail end
Affected Version
This vulnerability was initially found in stable 6.40.5.
Timeline
- 2023/1/12 - report the vulnerability to the vendor
- 2023/1/23 - vendor confirms the vulnerability
- 2023/2/23 - CVE has been reserved
Thanks
Thanks to -DL who has been helping me behind the scenes.