[Pkg-telepathy-maintainers] Bug#1078555: ofono: CVE-2024-7537 CVE-2024-7538 CVE-2024-7539 CVE-2024-7540 CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544 CVE-2024-7545 CVE-2024-7546 CVE-2024-7547
Mike Gabriel
sunweaver at debian.org
Sat Mar 1 13:23:29 GMT 2025
Control: clone -1 -2
Control: retitle -1 ofono CVE-2024-7538 CVE-2024-7539 CVE-2024-7540 CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544 CVE-2024-7545 CVE-2024-7546 CVE-2024-7547
Control: retitle -2 ofono: CVE-2024-7537
Hi Moritz, hi all,
as already pre-discussed with Salvatore on IRC, I am herewith splitting
this bug into two.
On Mon, Aug 12, 2024 at 02:33:36PM +0200, Moritz Mühlenhoff wrote:
> Source: ofono
> X-Debbugs-CC: team at security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerabilities were published for ofono.
>
> CVE-2024-7537[0]:
> | oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure
> | Vulnerability. This vulnerability allows local attackers to disclose
> | sensitive information on affected installations of oFono.
> | Authentication is not required to exploit this vulnerability. The
> | specific flaw exists within the processing of SMS message lists. The
> | issue results from the lack of proper validation of user-supplied
> | data, which can result in a read past the end of an allocated
> | buffer. An attacker can leverage this in conjunction with other
> | vulnerabilities to execute arbitrary code in the context of root.
> | Was ZDI-CAN-23157.
A fix for the above CVE is currently work in progress. During last week,
we have received feedback from ZDI and they are reporting their findings
on CVE-2024-7537 to the ofono upstream custodians. Our original message
from a few months was missed by the security researchers, so Sicelo now
pinged them again and they responded immediately.
The CVE is hardware-specific (QMI chipsets by Qualcomm) and only
exploitable in conjunction with other exploitations. The CVEs of those
other exploitation pathways have been fix in ofono meanwhile.
So for the new bug cloned from #1078555, our suggestion is to reduce
severity to important (as not all Debian users are affected by it)
and an exploit is not so likely anymore.
Everything below here will remain in #1078555. As of now, all issues
except from CVE-2024-7538 are marked as resolved in Debian's security
tracker.
> https://www.zerodayinitiative.com/advisories/ZDI-24-1077/
>
> CVE-2024-7538[1]:
> | oFono CUSD AT Command Stack-based Buffer Overflow Code Execution
> | Vulnerability. This vulnerability allows local attackers to execute
> | arbitrary code on affected installations of oFono. An attacker must
> | first obtain the ability to execute code on the target modem in
> | order to exploit this vulnerability. The specific flaw exists
> | within the parsing of responses from AT Commands. The issue results
> | from the lack of proper validation of the length of user-supplied
> | data prior to copying it to a stack-based buffer. An attacker can
> | leverage this vulnerability to execute code in the context of root.
> | Was ZDI-CAN-23190.
We think that CVE-2024-7538 has been fixed alongside the fix of CVE-2024-7539.
See: https://salsa.debian.org/telepathy-team/ofono/-/commit/f11771ba52b3597302d7f3472d96034ee4e17dba
(uploaded to Debian with ofono 2.14-1).
With this in mind, I'd like to see #1078555 closed after the factoring out.
@Debian sec team:
* Please provide feedback on the above.
* Please close #1078555 if you agree with my above reasonings.
* Please downgrade severity of the new #-2 bug if you agree
or follow-up on this mail.
I will also update the security-tracker database once the new bug number
of #-2 has arrived here.
Thanks,
Mike
(everything below here has been resolved)
> https://www.zerodayinitiative.com/advisories/ZDI-24-1078/
>
> CVE-2024-7539[2]:
> | oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability.
> | This vulnerability allows local attackers to execute arbitrary code
> | on affected installations of oFono. An attacker must first obtain
> | the ability to execute code on the target modem in order to exploit
> | this vulnerability. The specific flaw exists within the parsing of
> | responses from AT+CUSD commands. The issue results from the lack of
> | proper validation of the length of user-supplied data prior to
> | copying it to a stack-based buffer. An attacker can leverage this
> | vulnerability to execute code in the context of root. Was ZDI-
> | CAN-23195.
>
> https://www.zerodayinitiative.com/advisories/ZDI-24-1079/
>
> CVE-2024-7540[3]:
> | oFono AT CMGL Command Uninitialized Variable Information Disclosure
> | Vulnerability. This vulnerability allows local attackers to disclose
> | sensitive information on affected installations of oFono. An
> | attacker must first obtain the ability to execute code on the target
> | modem in order to exploit this vulnerability. The specific flaw
> | exists within the parsing of responses from AT+CMGL commands. The
> | issue results from the lack of proper initialization of memory prior
> | to accessing it. An attacker can leverage this in conjunction with
> | other vulnerabilities to execute arbitrary code in the context of
> | root. Was ZDI-CAN-23307.
>
> https://www.zerodayinitiative.com/advisories/ZDI-24-1080/
>
> CVE-2024-7541[4]:
> | oFono AT CMT Command Uninitialized Variable Information Disclosure
> | Vulnerability. This vulnerability allows local attackers to disclose
> | sensitive information on affected installations of oFono. An
> | attacker must first obtain the ability to execute code on the target
> | modem in order to exploit this vulnerability. The specific flaw
> | exists within the parsing of responses from AT+CMT commands. The
> | issue results from the lack of proper initialization of memory prior
> | to accessing it. An attacker can leverage this in conjunction with
> | other vulnerabilities to execute arbitrary code in the context of
> | root. Was ZDI-CAN-23308.
>
> https://www.zerodayinitiative.com/advisories/ZDI-24-1081/
>
> CVE-2024-7542[5]:
> | oFono AT CMGR Command Uninitialized Variable Information Disclosure
> | Vulnerability. This vulnerability allows local attackers to disclose
> | sensitive information on affected installations of oFono. An
> | attacker must first obtain the ability to execute code on the target
> | modem in order to exploit this vulnerability. The specific flaw
> | exists within the parsing of responses from AT+CMGR commands. The
> | issue results from the lack of proper initialization of memory prior
> | to accessing it. An attacker can leverage this in conjunction with
> | other vulnerabilities to execute arbitrary code in the context of
> | root. Was ZDI-CAN-23309.
>
> https://www.zerodayinitiative.com/advisories/ZDI-24-1082/
>
> CVE-2024-7543[6]:
> | oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation
> | Vulnerability. This vulnerability allows local attackers to execute
> | arbitrary code on affected installations of oFono. An attacker must
> | first obtain the ability to execute code on the target modem in
> | order to exploit this vulnerability. The specific flaw exists
> | within the parsing of STK command PDUs. The issue results from the
> | lack of proper validation of the length of user-supplied data prior
> | to copying it to a heap-based buffer. An attacker can leverage this
> | vulnerability to execute code in the context of the service account.
> | Was ZDI-CAN-23456.
>
> https://www.zerodayinitiative.com/advisories/ZDI-24-1083/
>
> CVE-2024-7544[7]:
> | oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation
> | Vulnerability. This vulnerability allows local attackers to execute
> | arbitrary code on affected installations of oFono. An attacker must
> | first obtain the ability to execute code on the target modem in
> | order to exploit this vulnerability. The specific flaw exists
> | within the parsing of STK command PDUs. The issue results from the
> | lack of proper validation of the length of user-supplied data prior
> | to copying it to a heap-based buffer. An attacker can leverage this
> | vulnerability to execute code in the context of the service account.
> | Was ZDI-CAN-23457.
>
> https://www.zerodayinitiative.com/advisories/ZDI-24-1084/
>
> CVE-2024-7545[8]:
> | oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation
> | Vulnerability. This vulnerability allows local attackers to execute
> | arbitrary code on affected installations of oFono. An attacker must
> | first obtain the ability to execute code on the target modem in
> | order to exploit this vulnerability. The specific flaw exists
> | within the parsing of STK command PDUs. The issue results from the
> | lack of proper validation of the length of user-supplied data prior
> | to copying it to a heap-based buffer. An attacker can leverage this
> | vulnerability to execute code in the context of the service account.
> | Was ZDI-CAN-23458.
>
> https://www.zerodayinitiative.com/advisories/ZDI-24-1085/
>
> CVE-2024-7546[9]:
> | oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation
> | Vulnerability. This vulnerability allows local attackers to execute
> | arbitrary code on affected installations of oFono. An attacker must
> | first obtain the ability to execute code on the target modem in
> | order to exploit this vulnerability. The specific flaw exists
> | within the parsing of STK command PDUs. The issue results from the
> | lack of proper validation of the length of user-supplied data prior
> | to copying it to a heap-based buffer. An attacker can leverage this
> | vulnerability to execute code in the context of the service account.
> | Was ZDI-CAN-23459.
>
> https://www.zerodayinitiative.com/advisories/ZDI-24-1086/
>
> CVE-2024-7547[10]:
> | oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation
> | Vulnerability. This vulnerability allows local attackers to execute
> | arbitrary code on affected installations of oFono. An attacker must
> | first obtain the ability to execute code on the target modem in
> | order to exploit this vulnerability. The specific flaw exists
> | within the parsing of SMS PDUs. The issue results from the lack of
> | proper validation of the length of user-supplied data prior to
> | copying it to a stack-based buffer. An attacker can leverage this
> | vulnerability to execute code in the context of the service account.
> | Was ZDI-CAN-23460.
>
> https://www.zerodayinitiative.com/advisories/ZDI-24-1087/
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2024-7537
> https://www.cve.org/CVERecord?id=CVE-2024-7537
> [1] https://security-tracker.debian.org/tracker/CVE-2024-7538
> https://www.cve.org/CVERecord?id=CVE-2024-7538
> [2] https://security-tracker.debian.org/tracker/CVE-2024-7539
> https://www.cve.org/CVERecord?id=CVE-2024-7539
> [3] https://security-tracker.debian.org/tracker/CVE-2024-7540
> https://www.cve.org/CVERecord?id=CVE-2024-7540
> [4] https://security-tracker.debian.org/tracker/CVE-2024-7541
> https://www.cve.org/CVERecord?id=CVE-2024-7541
> [5] https://security-tracker.debian.org/tracker/CVE-2024-7542
> https://www.cve.org/CVERecord?id=CVE-2024-7542
> [6] https://security-tracker.debian.org/tracker/CVE-2024-7543
> https://www.cve.org/CVERecord?id=CVE-2024-7543
> [7] https://security-tracker.debian.org/tracker/CVE-2024-7544
> https://www.cve.org/CVERecord?id=CVE-2024-7544
> [8] https://security-tracker.debian.org/tracker/CVE-2024-7545
> https://www.cve.org/CVERecord?id=CVE-2024-7545
> [9] https://security-tracker.debian.org/tracker/CVE-2024-7546
> https://www.cve.org/CVERecord?id=CVE-2024-7546
> [10] https://security-tracker.debian.org/tracker/CVE-2024-7547
> https://www.cve.org/CVERecord?id=CVE-2024-7547
>
> Please adjust the affected versions in the BTS as needed.
>
--
mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: sunweaver at debian.org, http://sunweavers.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-telepathy-maintainers/attachments/20250301/1f5cbeb3/attachment-0003.sig>
More information about the Pkg-telepathy-maintainers
mailing list