Recently, the Swascan vulnerability team uncovered potential security vulnerabilities (further details of the vulnerability are provided below) and notified Xfinity’s Product Security Incident Response Team (PSIRT) through their responsible disclosure program.
The Swascan notification included all of the necessary information for Xfinity to remediate the vulnerability in a timely fashion.
Thereafter, we collaborated with the Xfinity PSIRT to ensure that the vulnerabilities were remediated within an appropriate and acceptable timeframe.
Swascan is the Cyber Security company founded by Pierguido Iezzi and Raoul Chiesa; the first in Italy to offer a cloud-based Cyber Security Testing platform that allows to identify, analyze and solve the vulnerabilities of websites and information infrastructures alike.
[pulsante-trial-eng]
The details
The vulnerabilities impacted all three pillars of the CIA triad:
- Confidentiality;
- Integrity;
- Availability.
In detail, the vulnerabilities identified belonged to the following CWE categories:
CWE-126 (Buffer Over-read)
This typically occurs when the pointer or its index is incremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in exposure of sensitive information or possibly a crash.
Possible impact: By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service.
CWE-20 (Improper Input Validation)
When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.
Possible impact: The attack using this class of vulnerabilities could compromise the availability of the target where an attacker could provide unexpected values and cause a program crash or excessive consumption of resources, such as memory and CPU; the confidentiality by reading confidential data if they are able to control resource references and all three categories (Integrity, Availability and Confidentiality) by using malicious input to modify data or possibly alter control flow in unexpected ways, including arbitrary command execution.
CWE-416 (Use After Free)
The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system’s reuse of the freed memory. Use-after-free errors have two common and sometimes two main overlapping causes: error conditions and other exceptional circumstances or confusion over which part of the program is responsible for freeing the memory.
In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process.If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.
Possible impact: An attack that uses a CWE-416 type vulnerability could have an effect of the Integrity of the target system. This is because the use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere. Not only that, Availability could also be affected If chunk consolidation occurs after the use of previously freed data, the process may crash when invalid data is used as chunk information. Last, but not least, it could impact all three areas (Integrity, Availability and Confidentiality) If malicious data is entered before chunk consolidation can take place, it may be possible to take advantage of a write-what-where primitive to execute arbitrary code.
Swascan Team
Pierguido Iezzi, Co-Founder Swascan, CyberSecurity Director
Raoul Chiesa, Swascan co-founder, InfoSec addicted
Find out more about all the other Vulnerability Disclosures by clicking here