Ubuntu
zeromq3 package

CVE-2019-13132

Bug #1835213 reported by Luca Boccassi
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
zeromq3 (Ubuntu)
Fix Released
Undecided
Eduardo Barretto

Bug Description

Dear Security Team,

I am the upstream maintainer of libzmq/zeromq - https://github.com/zeromq/libzmq

CVE-2019-13132 has been reported privately, and I have confirmed it is not only valid but quite bad (TM).

The bug allows any unauthenticated client to cause a stack overflow on any server that is supposed to be protected by encryption/authentication. Arbitrary data sent by the client will overwrite the stack, so although the reporter didn't provide a specific exploit, it is entirely possible that a crafty attacker could take advantage of this vulnerability to do more than "just" crash the server.

The bug affects all libzmq/zeromq releases from 4.0.0 onward. Any server running with CURVE encryption/authentication is vulnerable.

Due to the severity, I have not yet published the details on the CVE or the issue tracker, and would like to do a release before it is disclosed, to let the fix percolate in all distros.

The proposed plan is as follows:

I will release upstream versions 4.3.2, 4.1.7 and 4.0.9 on Monday the 8th of July at 16:00 UTC.
I would kindly ask to hold on publishing the security updates with the attached patches until the above time&date or later, as your schedule&availability permits, if possible.

The CVE details and the upstream issue tracker will then be published a
week later, on the 15th.

The per-version patches cover the following distro releases:

xenial 4.1.4
bionic 4.2.5
cosmic 4.2.5
disco 4.3.1

Thank you for your help!

CVE References

Revision history for this message
Luca Boccassi (bluca) wrote :
Revision history for this message
Luca Boccassi (bluca) wrote :
Revision history for this message
Luca Boccassi (bluca) wrote :
Eduardo Barretto (ebarretto)
Changed in zeromq3 (Ubuntu):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Thanks Luca for reporting it and providing the patches. I would like to know if there's an exploit/test case that can be used to verify that the patch actually fix the issue. Thanks in advance

Revision history for this message
Luca Boccassi (bluca) wrote :

Hi,

Yes there is, but for convenience the client requires at least libzmq 4.2.4 compiled with DRAFTS enabled, as nobody has provided a stand-alone mock of the protocol.
The server is very simple and can be compiled against all versions of the library from 4.0.0 onward.

I'll attach both.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Thanks Luca. I am trying to build the client on Disco, I've changed the debian/rules to include --enable-drafts=yes and I am compiling the client with a simple 'gcc -g -lzmq repro_client.c -o client' but it complains about ZMQ_METADATA being undeclared. Is there anything else needed to compile the client?

Revision history for this message
Luca Boccassi (bluca) wrote :

Yes you need to use pkg-config to get the preprocessor flag to enable draft APIs - or alternatively manually pass -DZMQ_BUILD_DRAFT_API=1

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Thanks Luca. I could sucessfully run the reproducers. We do have a question, since you mentioned different dates between releasing the fix and releasing CVE details. What specific information are we allowed to publish on the 8th? We normally include the CVE number in debian/changelog and publish an USN (www.usn.ubuntu.com). Would that be ok? Or what do you expect from us on that?

Changed in zeromq3 (Ubuntu):
status: New → In Progress
Revision history for this message
Luca Boccassi (bluca) wrote :

Hello,

I have been advised on vs.openwall.org that the vulnerability details should be published, it's just the exploit that should be held back.

So I'd kindly ask to avoid publishing the reproducer I passed on.

I will use the following text in the release notes and on the upstream bug tracker on the 8th:

"CVE-2019-13132: a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations. All versions from 4.0.0 and upwards are affected."

Revision history for this message
Luca Boccassi (bluca) wrote :

Hi,

Given this will go public today, I have deleted the reproducers from the attachment list, which will be made public next week.

Revision history for this message
Luca Boccassi (bluca) wrote :

Hello, I have made the report public. The issue has been posted to oss-security, and the upstream releases are in progress and will be available in a few minutes.

information type: Private Security → Public Security
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Thanks Luca for all the help and contribution, the fix is released. Feel free to contact us in case of new issues.

Changed in zeromq3 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.