CVE-2015-5237
Heap-based Buffer Overflow vulnerability in Google.Protobuf (NuGet)
What is CVE-2015-5237 About?
This vulnerability in Protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. Such an overflow can lead to denial of service, memory corruption, or potentially arbitrary code execution. Exploitation requires authentication, making it moderately difficult.
Affected Software
- Google.Protobuf
- <3.4.0
- com.google.protobuf:protobuf-parent
- <3.4.0
- github.com/protocolbuffers/protobuf
- <3.4.0
- google/protobuf
- <3.4.0
- protobuf
- <3.4.0
Technical Details
The Protobuf library is prone to a heap-based buffer overflow vulnerability when processing specially crafted input messages. This occurs because the library, during the deserialization or parsing of a malicious Protobuf message, miscalculates buffer sizes or performs incorrect boundary checks when allocating or copying data to the heap. An authenticated remote attacker can send a malformed Protobuf message that exceeds the intended buffer size, overwriting adjacent memory regions on the heap. This memory corruption can lead to various consequences, including application crashes (denial of service), unpredictable behavior, or, in more advanced scenarios, can be leveraged for arbitrary code execution by overwriting critical data structures or function pointers.
What is the Impact of CVE-2015-5237?
Successful exploitation may allow attackers to cause a denial of service, corrupt memory, or potentially execute arbitrary code, leading to system instability or full compromise.
What is the Exploitability of CVE-2015-5237?
Exploitation of this heap-based buffer overflow requires an authenticated remote attacker to send specially crafted Protobuf messages. The complexity is moderate, as it involves understanding Protobuf message structure and how the vulnerable component handles parsing and memory allocation. Authentication is a prerequisite for exploitation. Privilege requirements depend on the context in which Protobuf messages are processed; if it's within a privileged service, the impact could be higher. This is a remote vulnerability, as the attacker sends malicious data over the network. Special conditions include the application using a vulnerable version of Protobuf and processing attacker-controlled content through it. The likelihood of exploitation is increased if the application widely uses Protobuf for inter-process communication or data serialization and deserialization from untrustworthy sources, especially after authentication.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-5237?
Available Upgrade Options
- Google.Protobuf
- <3.4.0 → Upgrade to 3.4.0
- protobuf
- <3.4.0 → Upgrade to 3.4.0
- github.com/protocolbuffers/protobuf
- <3.4.0 → Upgrade to 3.4.0
- google/protobuf
- <3.4.0 → Upgrade to 3.4.0
- com.google.protobuf:protobuf-parent
- <3.4.0 → Upgrade to 3.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r4ef574a5621b0e670a3ce641e9922543e34f22bf4c9ee9584aa67fcf%40%3Cissues.hbase.apache.org%3E
- http://www.openwall.com/lists/oss-security/2015/08/27/2
- https://lists.apache.org/thread.html/r4886108206d4c535db9b20c813fe4723d4fe6a91b9278382af8b9d08@%3Cissues.spark.apache.org%3E
- https://github.com/google/protobuf/issues/760
- https://lists.apache.org/thread.html/re6d04a214424a97ea59c62190d79316edf311a0a6346524dfef3b940@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r42e47994734cd1980ef3e204a40555336e10cc80096927aca2f37d90%40%3Ccommits.pulsar.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi?id=1256426
- https://lists.apache.org/thread.html/re6d04a214424a97ea59c62190d79316edf311a0a6346524dfef3b940%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r42ef6acfb0d86a2df0c2390702ecbe97d2104a331560f2790d17ca69@%3Ccommits.pulsar.apache.org%3E
What are Similar Vulnerabilities to CVE-2015-5237?
Similar Vulnerabilities: CVE-2014-0196 , CVE-2014-9721 , CVE-2015-3212 , CVE-2015-1801 , CVE-2016-10251
