SB2018060510 - Multiple vulnerabilities in mruby
Published: June 5, 2018 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2018-14337)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists in mrbgems/mruby-sprintf/src/sprintf.c within the CHECK macro. A remote attacker can trigger integer overflow due to the mrb_str_resize function in string.c does not check for a negative length.
2) NULL pointer dereference (CVE-ID: CVE-2018-12247)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in mruby 1.4.1. There is a NULL pointer dereference in mrb_class, related to certain .clone usage, because mrb_obj_clone in kernel.c copies flags other than the MRB_FLAG_IS_FROZEN flag (e.g., the embedded flag). A remote attacker can perform a denial of service (DoS) attack.
3) Out-of-bounds read (CVE-ID: CVE-2018-12248)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read associated with OP_ENTER because mrbgems/mruby-fiber/src/fiber.c does not extend the stack in cases of many arguments to fiber. A remote attacker can perform a denial of service attack.
4) NULL pointer dereference (CVE-ID: CVE-2018-12249)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in mruby 1.4.1. There is a NULL pointer dereference in mrb_class_real because "class BasicObject" is not properly supported in class.c. A remote attacker can perform a denial of service (DoS) attack.
5) Access of Uninitialized Pointer (CVE-ID: CVE-2018-11743)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The init_copy function in kernel.c in mruby 1.4.1 makes initialize_copy calls for TT_ICLASS objects, which allows attackers to cause a denial of service (mrb_hash_keys uninitialized pointer and application crash) or possibly have unspecified other impact.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://github.com/mruby/mruby/issues/4062
- https://github.com/mruby/mruby/commit/55edae0226409de25e59922807cb09acb45731a2
- https://github.com/mruby/mruby/issues/4036
- https://github.com/mruby/mruby/commit/778500563a9f7ceba996937dc886bd8cde29b42b
- https://github.com/mruby/mruby/issues/4038
- https://github.com/mruby/mruby/commit/faa4eaf6803bd11669bc324b4c34e7162286bfa3
- https://github.com/mruby/mruby/issues/4037
- https://github.com/mruby/mruby/commit/b64ce17852b180dfeea81cf458660be41a78974d
- https://github.com/mruby/mruby/issues/4027