An information disclosure vulnerability exists in the Ethernet/IP UDP handler functionality of EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A specially crafted network request can lead to an out-of-bounds read.

**Summary**

An information disclosure vulnerability exists in the Ethernet/IP UDP handler functionality of EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A specially crafted network request can lead to an out-of-bounds read.

**Tested Versions**

EIP Stack Group OpENer 2.3  
EIP Stack Group OpENer development commit 8c73bf3

**Product URLs**

https://github.com/EIPStackGroup/OpENer

**CVSSv3 Score**

8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

**CWE**

CWE-125 - Out-of-bounds Read

**Details**

OpENer is an EtherNet/IP stack for I/O adapter devices. It supports multiple I/O and explicit connections and includes objects and services for making EtherNet/IP-compliant products as defined in the ODVA specification.

An Ethernet/IP protocol header always consists of 24 bytes. The first 2 bytes are for the command code, followed by another two bytes for the length of the packet.  
Due to an integer conversion bug, a request with a maliciously high length field, about 0x8000, will be treated as a signed negative short integer. After processing a request packet, the code will use the provided length value to try and jump the specified amount of bytes forward, past the packet, to parse a potential follow-up request. By abusing the length field, this jump can also be directed up to roughly 32000 bytes in front of the buffer. Whatever is found there in memory will be treated as a command packet, the bytes parsed and acted upon. Should the first 2 bytes found correspond to a valid opcode, and the follow-up 2 bytes in the size location there be bigger than 32K, the next jump will be even further up to lower memory addresses, and so on.  
There are several opcodes which will return part of the request packet. By sending a request to jump into existing memory in front of a malicious packet, if one of several possible matching opcodes is found there, a return packet will be sent to the attacker based on what is found in memory at this address, including bytes from the parsed data. This way arbitrary memory may be returned to an attacker, resulting in an information leak. This attack only works using UDP when communication with the Opener server.

The problematic function is CheckAndHandleUdpUnicastSocket in generic_networkhandler.c:

    void CheckAndHandleUdpUnicastSocket(void) {
      /* see if this is an unsolicited inbound UDP message */
      if(true == CheckSocketSet(g_network_status.udp_unicast_listener)) {
    
        struct sockaddr_in from_address = { 0 };
        socklen_t from_address_length = sizeof(from_address);
    
        OPENER_TRACE_STATE(
            "networkhandler: unsolicited UDP message on EIP unicast socket\n");
    
        /* Handle UDP broadcast messages */
        CipOctet incoming_message[PC_OPENER_ETHERNET_BUFFER_SIZE] = { 0 };
        int received_size = recvfrom(g_network_status.udp_unicast_listener, NWBUF_CAST incoming_message, sizeof(incoming_message), 0,
          (struct sockaddr*) &from_address, &from_address_length);
    
        if(received_size <= 0) { /* got error */
            ...
        }
    
        OPENER_TRACE_INFO("Data received on UDP unicast:\n");
    
        EipUint8 *receive_buffer = &incoming_message[0];
        int remaining_bytes = 0;
        ENIPMessage outgoing_message;
        InitializeENIPMessage(&outgoing_message);
        do {
          // [1]
          EipStatus need_to_send = HandleReceivedExplictUdpData(g_network_status.udp_unicast_listener,
                                                                &from_address,
                                                                receive_buffer,
                                                                received_size,
                                                                &remaining_bytes,
                                                                true,
                                                                &outgoing_message);
    
          receive_buffer += received_size - remaining_bytes;
          received_size = remaining_bytes;
    
          if(need_to_send > 0) {
            OPENER_TRACE_INFO("UDP unicast reply sent:\n");
    
            /* if the active socket matches a registered UDP callback, handle a UDP packet */
            if(sendto(g_network_status.udp_unicast_listener, (char*) outgoing_message.message_buffer, outgoing_message.used_message_length, 0,
              (struct sockaddr*) &from_address, sizeof(from_address)) != outgoing_message.used_message_length) {
              OPENER_TRACE_INFO(
                  "networkhandler: UDP unicast response was not fully sent\n");
            }
          }
        } while(remaining_bytes > 0);
      }
    }
    

At \[1\], this function passes the UDP data to HandleReceivedExplictUdpData, passing received_size as a signed integer.

    EipStatus HandleReceivedExplictUdpData(const int socket,
                                           const struct sockaddr_in *from_address,
                                           const EipUint8 *buffer,
                                           const size_t buffer_length,
                                           int *number_of_remaining_bytes,
                                           bool unicast,
                                           ENIPMessage *const outgoing_message) {
      EipStatus return_value = kEipStatusOk;
      EncapsulationData encapsulation_data = { 0 };
      /* eat the encapsulation header*/
      /* the structure contains a pointer to the encapsulated data*/
      /* returns how many bytes are left after the encapsulated data*/
      *number_of_remaining_bytes = CreateEncapsulationStructure(buffer,
                                                                buffer_length,         // [2]
                                                                &encapsulation_data);
      ...
    

In turn, HandleReceivedExplictUdpData calls the function EipInt16 CreateEncapsulationStructure \[2\], where the length is parsed as a signed variable, and a final length calculation uses this signed number for the return value \[3\].

    EipInt16 CreateEncapsulationStructure(const EipUint8 *receive_buffer,
                                          int receive_buffer_length,
                                          EncapsulationData *const encapsulation_data)
    {
      encapsulation_data->communication_buffer_start = (EipUint8 *) receive_buffer;
      encapsulation_data->command_code = GetUintFromMessage(&receive_buffer);
      encapsulation_data->data_length = GetUintFromMessage(&receive_buffer);
      encapsulation_data->session_handle = GetUdintFromMessage(&receive_buffer);
      encapsulation_data->status = GetUdintFromMessage(&receive_buffer);
    
      memcpy(encapsulation_data->sender_context, receive_buffer,
             kSenderContextSize);
      receive_buffer += kSenderContextSize;
      encapsulation_data->options = GetUdintFromMessage(&receive_buffer);
      encapsulation_data->current_communication_buffer_position =
        (EipUint8 *) receive_buffer;
      return (receive_buffer_length - ENCAPSULATION_HEADER_LENGTH -
              encapsulation_data->data_length);                                  // [3]
    }
    

This issue can be also abused for a denial-of-service. If the length field in a request makes the parser jump back to the start of the packet, the same packet will be processed over and over again, resulting in 100% CPU usage. This can be triggered with a single 24 bytes UDP packet

Moreover, this issue can also be abused for a distributed denial-of-service. By combining the above DOS request with a spoofed source IP address for the request, an opcode that results in a reply to the specified source address will result in a continuous stream of replies to a victim, which cannot be stopped remotely. This can be triggered by a single UDP packet.

While the server is bound to a specific interface during launch, a listening socket is opened by default on all available interfaces, for a “broadcast mode”. The attack works not just on the specified, but all available interfaces that were bound during startup.

**Timeline**

2021-01-23 - Vendor Disclosure  
2021-04-20 - Disclosure deadline extended  
2021-06-08 - Talos confirmed patch/fix

2021-06-16 - Public Release

Discovered by Martin Zeiser of Cisco Talos.

CVE-2021-21777: TALOS-2021-1234 || Cisco Talos Intelligence Group

Dell PowerEdge Server BIOS and select Dell Precision Rack BIOS contain an out-of-bounds array access vulnerability. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of service, arbitrary code execution, or information disclosure in System Management Mode.

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2021-21554

*   Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and, Dell Precision 7920 Rack Workstation BIOS contain a stack-based buffer overflow vulnerability in systems with Intel Optane DC Persistent Memory installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, arbitrary code execution, or information disclosure in UEFI or BIOS Preboot Environment.

6.1

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

CVE-2021-21555

*   Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a heap-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, arbitrary code execution, or information disclosure in UEFI or BIOS Preboot Environment.

6.1

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

CVE-2021-21556

*   Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a stack-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, arbitrary code execution, or information disclosure in UEFI or BIOS Preboot Environment.

6.1

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

CVE-2021-21557

*   Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an out-of-bounds array access vulnerability. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of service, arbitrary code execution, or information disclosure in System Management Mode.

8.1

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2021-21554

*   Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and, Dell Precision 7920 Rack Workstation BIOS contain a stack-based buffer overflow vulnerability in systems with Intel Optane DC Persistent Memory installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, arbitrary code execution, or information disclosure in UEFI or BIOS Preboot Environment.

6.1

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

CVE-2021-21555

*   Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a heap-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, arbitrary code execution, or information disclosure in UEFI or BIOS Preboot Environment.

6.1

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

CVE-2021-21556

*   Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a stack-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, arbitrary code execution, or information disclosure in UEFI or BIOS Preboot Environment.

6.1

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

CVE-2021-21557

*   Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an out-of-bounds array access vulnerability. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of service, arbitrary code execution, or information disclosure in System Management Mode.

8.1

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen****Kiitokset**

Dell Technologies would like to thank Alexander Tereshkin and Alexander Matrosov of NVIDIA Product Security Team for reporting these issues.

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2021-06-08

Initial release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

PowerEdge, PowerEdge XR2, PowerEdge C4140, PowerEdge C6420, PowerEdge C6525, PowerEdge FC640, PowerEdge M640, PowerEdge M640 (for PE VRTX), PowerEdge MX740c, PowerEdge MX840c, PowerEdge R240, PowerEdge R340, PowerEdge R440, PowerEdge R540Näytä lisää

11 kesäk. 2021

CVE-2021-21557: DSA-2021-103: Dell PowerEdge Server Security Update for BIOS Vulnerabilities

An improper array index validation vulnerability exists in the TIF IP_planar_raster_unpack functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-21833: TALOS-2021-1296 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the JPG Handle_JPEG420 functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

An out-of-bounds write vulnerability exists in the JPG Handle\_JPEG420 functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear 19.9

**Product URLs**

https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-131 - Incorrect Calculation of Buffer Size

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

A specially crafted JPG file can lead to an out-of-bounds write in the handle_JPEG420 function, due to a buffer overflow caused by a missing size check for a buffer memory.

Trying to load a malformed JPG file, we end up in the following situation:

    This exception may be expected and handled.
    eax=08ee4c51 ebx=05d08c51 ecx=00000080 edx=0db17001 esi=10ab4fd1 edi=00000000
    eip=793c5eba esp=0019f5f8 ebp=0019f640 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
    igCore19d!IG_mpi_page_set+0xca16a:
    793c5eba 884aff          mov     byte ptr [edx-1],cl        ds:002b:0db17000=??
    

This write access violation is happening in the function handle_JPEG420, corresponding to the following pseudo-code, in LINE152:

    LINE1    dword __cdecl
    LINE2    handle_JPEG420(int param_1,int width,int height,int min_height,char *param_5,
    LINE3                  undefined *raster_buffer)
    LINE4    {
            [...]
    LINE29     iVar2 = *(int *)(param_5 + 0x7c);
    LINE30     pcVar5 = (char *)(min_height - 1U & 0x8000000f);
    LINE31     if ((int)pcVar5 < 0) {
    LINE32       pcVar5 = (char *)(((uint)(pcVar5 + -1) | 0xfffffff0) + 1);
    LINE33     }
    LINE34     pcVar6 = pcVar5;
    LINE35     if (min_height != 0) {
    LINE36       if (pcVar5 == NULL) {
    LINE37         pcVar12 = *(char **)(param_5 + 0x54);
    LINE38         local_8 = pcVar12 + iVar2;
    LINE39         pcVar6 = *(char **)(param_5 + 0xa4);
    LINE40         local_c = pcVar6 + iVar2;
    LINE41         local_10 = (char *)(*(int *)(param_5 + 0x58) + iVar2 * 7);
    LINE42         iVar7 = *(int *)(param_5 + 4);
    LINE43         param_5 = (char *)(*(int *)(param_5 + 0xa8) + iVar2 * 7);
    LINE44       }
    LINE45       else {
    LINE46         if (pcVar5 == (char *)0xf) {
    LINE47           local_8 = *(char **)(param_5 + 0x54);
    LINE48           local_c = *(char **)(param_5 + 0xa4);
    LINE49           pcVar12 = (char *)(*(int *)(param_5 + 0x58) + iVar2 * 7);
    LINE50           local_10 = (char *)(*(int *)(param_5 + 0x58) + *(int *)(param_5 + 0x7c) * 6);
    LINE51           pcVar6 = (char *)(iVar2 * 7 + *(int *)(param_5 + 0xa8));
    LINE52           iVar7 = (*(int *)(param_5 + 0x2c) * 0x10 - *(int *)(param_5 + 0x2c)) + *(int *)(param_5 + 8)
    LINE53           ;
    LINE54           param_5 = (char *)(*(int *)(param_5 + 0x7c) * 6 + *(int *)(param_5 + 0xa8));
    LINE55         }
    LINE56         else {
    LINE57           iVar7 = ((int)pcVar5 / 2) * iVar2;
    LINE58           pcVar12 = (char *)(*(int *)(param_5 + 0x54) + iVar7);
    LINE59           pcVar6 = (char *)(*(int *)(param_5 + 0xa4) + iVar7);
    LINE60           local_8 = pcVar12 + iVar2;
    LINE61           local_c = pcVar6 + iVar2;
    LINE62           local_10 = pcVar12 + -iVar2;
    LINE63           iVar7 = (int)pcVar5 * *(int *)(param_5 + 0x2c) + *(int *)(param_5 + 4);
    LINE64           param_5 = pcVar6 + -iVar2;
    LINE65         }
    LINE66       }
    LINE67       index = 0;
    LINE68       if (0 < width) {
    LINE69         uVar8 = (uint)pcVar5 & 0x80000001;
    LINE70         if ((int)uVar8 < 0) {
    LINE71           uVar8 = (uVar8 - 1 | 0xfffffffe) + 1;
    LINE72         }
    LINE73         iVar2 = -(int)pcVar6;
    LINE74         iVar3 = -(int)pcVar6;
    LINE75         iVar4 = -(int)pcVar6;
    LINE76         do {
    LINE77           iVar14 = -1;
    LINE78           if (index == 0) {
    LINE79             iVar14 = 0;
    LINE80           }
    LINE81           uVar11 = (uint)(index != width - 1U);
    LINE82           local_18 = local_10 + iVar4 + (int)pcVar6;
    LINE83           local_14 = param_5;
    LINE84           if (min_height == 1) {
    LINE85             local_18 = pcVar12;
    LINE86             local_14 = pcVar6;
    LINE87           }
    LINE88           local_20 = pcVar6 + (int)(local_8 + iVar2);
    LINE89           local_1c = pcVar6 + (int)(local_c + iVar3);
    LINE90           if (min_height == height + -1) {
    LINE91             local_20 = pcVar12;
    LINE92             local_1c = pcVar6;
    LINE93           }
    LINE94           uVar13 = index - 1;
    LINE95           if (index != width - 1U) {
    LINE96             uVar13 = index;
    LINE97           }
    LINE98           uVar9 = (uint)(byte)(*(char *)(index + iVar7) + 0x80);
    LINE99           if (uVar8 == 0) {
    LINE100            uVar13 = uVar13 & 0x80000001;
    LINE101            if ((int)uVar13 < 0) {
    LINE102              uVar13 = (uVar13 - 1 | 0xfffffffe) + 1;
    LINE103            }
    LINE104            if (uVar13 == 0) {
    LINE105              local_28 = (int)local_14[iVar14] +
    LINE106                         ((int)pcVar6[iVar14] + *pcVar6 * 3 + (int)*local_14) * 3 + 8 >> 4;
    LINE107              iVar10 = (int)local_18[iVar14];
    LINE108              iVar14 = ((int)pcVar12[iVar14] + *pcVar12 * 3 + (int)*local_18) * 3 + 8;
    LINE109            }
    LINE110            else {
    LINE111              iVar10 = local_14[uVar11] + 8 + ((int)pcVar6[uVar11] + *pcVar6 * 3 + (int)*local_14) * 3
    LINE112              ;
    LINE113              iVar14 = (int)pcVar12[uVar11] + *pcVar12 * 3 + (int)*local_18;
    LINE114  LAB_10135e43:
    LINE115              local_28 = iVar10 >> 4 & 0xff;
    LINE116              iVar10 = local_18[uVar11] + 8;
    LINE117              iVar14 = iVar14 * 3;
    LINE118            }
    LINE119          }
    LINE120          else {
    LINE121            uVar13 = uVar13 & 0x80000001;
    LINE122            if ((int)uVar13 < 0) {
    LINE123              uVar13 = (uVar13 - 1 | 0xfffffffe) + 1;
    LINE124            }
    LINE125            if (uVar13 != 0) {
    LINE126              iVar10 = local_1c[uVar11] + 8 + ((int)pcVar6[uVar11] + *pcVar6 * 3 + (int)*local_1c) * 3
    LINE127              ;
    LINE128              iVar14 = (int)pcVar12[uVar11] + *pcVar12 * 3 + (int)*local_20;
    LINE129              local_18 = local_20;
    LINE130              goto LAB_10135e43;
    LINE131            }
    LINE132            local_28 = (int)local_1c[iVar14] +
    LINE133                       ((int)pcVar6[iVar14] + *pcVar6 * 3 + (int)*local_1c) * 3 + 8 >> 4 & 0xff;
    LINE134            iVar10 = (int)local_20[iVar14];
    LINE135            iVar14 = ((int)pcVar12[iVar14] + *pcVar12 * 3 + (int)*local_20) * 3 + 8;
    LINE136          }
    LINE137          if (uVar13 == 1) {
    LINE138            param_5 = param_5 + 1;
    LINE139            pcVar6 = pcVar6 + 1;
    LINE140            pcVar12 = pcVar12 + 1;
    LINE141          }
    LINE142          uVar11 = iVar14 + iVar10 >> 4 & 0xff;
    LINE143          sVar1 = *(short *)(&DAT_1026fb80 + uVar11 * 2);
    LINE144          iVar14 = *(int *)(&DAT_10270180 + (local_28 & 0xff) * 4);
    LINE145          iVar10 = *(int *)(&DAT_1026fd80 + uVar11 * 4);
    LINE146                      /*  */
    LINE147          *raster_buffer =
    LINE148               *(undefined *)
    LINE149                ((int)*(short *)(&DAT_1026f980 + (local_28 & 0xff) * 2) + uVar9 + param_1);
    LINE150          raster_buffer[1] =
    LINE151               *(undefined *)(((int)(uVar9 * 0x10000 + iVar14 + iVar10) >> 0x10) + param_1);
    LINE152          raster_buffer[2] = *(undefined *)(uVar9 + (int)sVar1 + param_1);
    LINE153          index = index + 1;
    LINE154          raster_buffer = raster_buffer + 3;
    LINE155        } while ((int)index < width);
    LINE156      }
    LINE157    }
    LINE158    return (dword)pcVar6;
    LINE159  }
    

The raster_buffer looks to be a table of three integers to store data, as we can see from LINE147 to LINE154. The index of this table is controlled by the width variable (corresponding to size_X below), meaning the table should be at least width*3 in size. The size of raster_buffer is computed into the function IGDIBStd::compute_raster_size with the following pseudo-code:

    LINE160  uint __thiscall IGDIBStd::compute_raster_size(HIGDIBINFO this)
    LINE161  {
    LINE162    longlong lVar1;
    LINE163    uint uVar2;
    LINE164    ulonglong uVar3;
    LINE165    
    LINE166    lVar1 = (longlong)(int)(this->mys_struct_table_color).ptr_bits_per_channel_table *
    LINE167            (longlong)(int)(this->mys_struct_table_color).ptr_channel_count;
    LINE168    uVar3 = __allmul((uint)lVar1,(uint)((ulonglong)lVar1 >> 0x20),this->size_X,
    LINE169                     (int)this->size_X >> 0x1f);
    LINE170    lVar1 = (longlong)(uVar3 + 0x1f) >> 3;
    LINE171    uVar2 = (uint)lVar1 & 0xfffffffc;
    LINE172    if ((-1 < lVar1) && ((0 < (int)((longlong)(uVar3 + 0x1f) >> 0x23) || (0x7ffffffe < uVar2)))) {
    LINE173      wrapper_thow_exception
    LINE174                ((undefined *)0xfffffe6f,NULL,NULL,NULL,(undefined **)0x1022fa38,(undefined *)0x29);
    LINE175    }
    LINE176    return uVar2;
    LINE177  }
    

We can see here effectively the size is depending of three variables: ptr_bits_per_channel_table, ptr_channel_count and size_X (corresponding to width above).  
Theses values are set earlier in the execution while parsing the SOF0 JPEG tag and they correspond respectively to component number, precision and width of the values present into this tag, and are read directly from the file.  
To trigger the crash, an invalid image number of component from SOF0 tag and specific Spectral selection values from SOS tag must be set.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Write
    
        Key  : Analysis.CPU.mSec
        Value: 2593
    
        Key  : Analysis.DebugAnalysisManager
        Value: Create
    
        Key  : Analysis.Elapsed.mSec
        Value: 32299
    
        Key  : Analysis.Init.CPU.mSec
        Value: 2093
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 47455
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 175
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 168234
    
        Key  : Timeline.Process.Start.DeltaSec
        Value: 46
    
        Key  : WER.OS.Branch
        Value: vb_release
    
        Key  : WER.OS.Timestamp
        Value: 2019-12-06T14:06:00Z
    
        Key  : WER.OS.Version
        Value: 10.0.19041.1
    
        Key  : WER.Process.Version
        Value: 1.0.1.1
    
    
    NTGLOBALFLAG:  2100000
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APPLICATION_VERIFIER_LOADED: 1
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 793c5eba (igCore19d!IG_mpi_page_set+0x000ca16a)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 0db17000
    Attempt to write to address 0db17000
    
    FAULTING_THREAD:  0001096c
    
    PROCESS_NAME:  Fuzzme.exe
    
    WRITE_ADDRESS:  0db17000 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  00000001
    
    EXCEPTION_PARAMETER2:  0db17000
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0019f640 793c7c39     79500680 000000fd 00004101 igCore19d!IG_mpi_page_set+0xca16a
    0019f6f0 793c3501     0c222f60 0019f9a8 0e172720 igCore19d!IG_mpi_page_set+0xcbee9
    0019f774 793b4139     00004101 0e172720 0c222f60 igCore19d!IG_mpi_page_set+0xc77b1
    0019f97c 793b00bf     0c222f60 0019f9a8 00000000 igCore19d!IG_mpi_page_set+0xb83e9
    0019fa08 793c70b5     00000003 793c3030 0e172720 igCore19d!IG_mpi_page_set+0xb436f
    0019fa24 793c6edd     0e172720 0c222f60 0000ffda igCore19d!IG_mpi_page_set+0xcb365
    0019fa48 793c5021     0e172720 0c222f60 0019fa70 igCore19d!IG_mpi_page_set+0xcb18d
    0019fa68 793c677a     0019ffc0 1000001d 0e162f70 igCore19d!IG_mpi_page_set+0xc92d1
    0019faa8 792d10d9     1000001d 0e162f70 00000001 igCore19d!IG_mpi_page_set+0xcaa2a
    0019fae0 79310557     00000000 0e162f70 0019fb30 igCore19d!IG_image_savelist_get+0xb29
    0019fd5c 7930feb9     00000000 05454f68 00000001 igCore19d!IG_mpi_page_set+0x14807
    0019fd7c 792a5777     00000000 05454f68 00000001 igCore19d!IG_mpi_page_set+0x14169
    0019fd9c 00498a3a     05454f68 0019fe0c 004801a4 igCore19d!IG_load_file+0x47
    0019fe14 00498e36     05454f68 0019fe8c 004801a4 Fuzzme!fuzzme+0x4a
    0019fee4 004daa53     00000005 05344ef8 0534df20 Fuzzme!main+0x376
    0019ff04 004da8a7     849468e5 004801a4 004801a4 Fuzzme!invoke_main+0x33
    0019ff60 004da73d     0019ff70 004daad8 0019ff80 Fuzzme!__scrt_common_main_seh+0x157
    0019ff68 004daad8     0019ff80 75e8fa29 00346000 Fuzzme!__scrt_common_main+0xd
    0019ff70 75e8fa29     00346000 75e8fa10 0019ffdc Fuzzme!mainCRTStartup+0x8
    0019ff80 77207a4e     00346000 2f1bf266 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77207a1e     ffffffff 772288f5 00000000 ntdll!__RtlUserThreadStart+0x2f
    0019ffec 00000000     004801a4 00346000 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  igCore19d!IG_mpi_page_set+ca16a
    
    MODULE_NAME: igCore19d
    
    IMAGE_NAME:  igCore19d.dll
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF_c0000005_igCore19d.dll!IG_mpi_page_set
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x86
    
    OSNAME:  Windows 10
    
    IMAGE_VERSION:  19.9.0.0
    
    FAILURE_ID_HASH:  {39ff52ad-9054-81fd-3e4d-ef5d82e4b2c1}
    
    Followup:     MachineOwner
    ---------
    

**Timeline**

2021-04-28 - Vendor Disclosure  
2021-05-31 - Vendor Patched  
2021-06-01 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2021-21824: TALOS-2021-1289 || Cisco Talos Intelligence Group

A memory corruption vulnerability exists in the PNG png_palette_process functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide malicious inputs to trigger this vulnerability.

CVE-2021-21808: TALOS-2021-1276 || Cisco Talos Intelligence Group

A heap-based buffer overflow vulnerability exists in the PSD read_icc_icCurve_data functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to an integer overflow that, in turn, leads to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A heap-based buffer overflow vulnerability exists in the PSD read\_icc\_icCurve\_data functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to an integer overflow that, in turn, leads to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear 19.9

**Product URLs**

https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

A specially crafted PSD file can lead to an out-of-bounds write in read_icc_icCurve_data function, due to a buffer overflow caused by an integer overflow while allocating memory.  
Trying to load a malformed PSD file, we end up in the following situation:

    (bbb0.dfa0): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=0dc6cff8 ebx=6ba28620 ecx=00000000 edx=00000002 esi=0019f38c edi=0c25aff8
    eip=699204fd esp=0019f2dc ebp=0019f370 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    igCore19d!IG_cpm_profiles_reset+0x56ed:
    699204fd f20f114cd0f8    movsd   mmword ptr [eax+edx*8-8],xmm1 ds:002b:0dc6d000=????????????????
    

The crash is happening in function read_icc_icCurve_data in LINE50 during a do-while loop (from LINE48 to LINE54) controlled by the curve_data->count:

    LINE1   dword read_icc_icCurve_data(uint **param_1,curve_type_data *curve_data)
    LINE2   {
    LINE3     uint size;
    LINE4     uint *buffer_for_curves_values;
    LINE5     undefined extraout_DL;
    LINE6     dword return_status;
    LINE7     uint index;
    LINE8     undefined4 uVar1;
    LINE9     int iVar2;
    LINE10    uint *puVar3;
    LINE11    uint *puVar4;
    LINE12    undefined uVar5;
    LINE13    char local_88 [128];
    LINE14    uint local_8;
    LINE15    
    LINE16    local_8 = DAT_102bcea8 ^ (uint)&stack0xfffffffc;
    LINE17    uVar5 = 0;
    LINE18    if (param_1[1] < &DAT_00000004) {
    LINE19                      /* char * _Format for sprintf */
    LINE20                      /* char * _Dest for sprintf */
    LINE21      sprintf(local_88,"Unexpected end of data while reading tag:%Xh, type:%s",param_1[3],"icCurve");
    LINE22      iVar2 = AF_err_record_set("..\\..\\..\\..\\Common\\Core\\ICCProfile.c",0x31b,-1,0,param_1[1],4,
    LINE23                                local_88);
    LINE24      uVar5 = (undefined)iVar2;
    LINE25    }
    LINE26    else {
    LINE27                      /* get count value from tag */
    LINE28      size = rotate_bytes(**param_1);
    LINE29      curve_data->count = size;
    LINE30      *param_1 = *param_1 + 1;
    LINE31      param_1[1] = param_1[1] + -1;
    LINE32    }
    LINE33    if (param_1[1] < (uint *)(curve_data->count * 2)) {
    LINE34                      /* char * _Format for sprintf */
    LINE35                      /* char * _Dest for sprintf */
    LINE36      sprintf(local_88,"Unexpected end of data while reading tag:%Xh, type:%s",param_1[3],"icCurve");
    LINE37      puVar4 = (uint *)(curve_data->count * 2);
    LINE38      puVar3 = param_1[1];
    LINE39      iVar2 = -1;
    LINE40      uVar1 = 0x336;
    LINE41    }
    LINE42    else {
    LINE43      buffer_for_curves_values = (uint *)AF_memm_alloc((uint)param_1[2],curve_data->count << 3);
    LINE44      curve_data->buffer_actual_curve_values = buffer_for_curves_values;
    LINE45      if (buffer_for_curves_values != NULL) {
    LINE46        index = 0;
    LINE47        if (curve_data->count != 0) {
    LINE48          do {
    LINE49            index = index + 1;
    LINE50            *(double *)(curve_data->buffer_actual_curve_values + index * 2 + -2) =
    LINE51                 (double)(uint)(*(ushort *)*param_1 >> 8) * 0.00390625 +
    LINE52                 (double)(uint)(*(ushort *)*param_1 & 0xff);
    LINE53            *param_1 = (uint *)((int)*param_1 + 2);
    LINE54          } while (index < curve_data->count);
    LINE55        }
    LINE56        param_1[1] = (uint *)((int)param_1[1] + curve_data->count * -2);
    LINE57        return_status = kind_of_fastfail(local_8 ^ (uint)&stack0xfffffffc,(char)index,uVar5);
    LINE58        return return_status;
    LINE59      }
    LINE60                      /* char * _Format for sprintf */
    LINE61                      /* char * _Dest for sprintf */
    LINE62      sprintf(local_88,"Out of memory while reading tag:%Xh, type:%s",param_1[3],"icCurve");
    LINE63      puVar4 = param_1[1];
    LINE64      puVar3 = NULL;
    LINE65      iVar2 = -1000;
    LINE66      uVar1 = 0x325;
    LINE67    }
    LINE68    AF_err_record_set("..\\..\\..\\..\\Common\\Core\\ICCProfile.c",uVar1,iVar2,0,puVar3,puVar4,
    LINE69                      local_88);
    LINE70    return_status = kind_of_fastfail(local_8 ^ (uint)&stack0xfffffffc,extraout_DL,uVar5);
    LINE71    return return_status;
    LINE72  }
    

The size for the memory buffer buffer_for_curves_values, allocated in LINE43, is computed by curve_data->count << 3 and is prone to an integer overflow.  
In the proof-of-concept, the curve_data->count is read from the file and has value “0x80000001”. The multiplication at LINE43 results in the value “8”, hence a buffer of only 8 bytes is allocated.

    0:000> !heap -p -a eax
        address 0dc6cff8 found in
        _DPH_HEAP_ROOT @ 3ed1000
        in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                     bc602d8:          dc6cff8                8 -          dc6c000             2000
        6e3aa8b0 verifier!AVrfDebugPageHeapAllocate+0x00000240
        7777ef0e ntdll!RtlDebugAllocateHeap+0x00000039
        776e6150 ntdll!RtlpAllocateHeap+0x000000f0
        776e57fe ntdll!RtlpAllocateHeapInternal+0x000003ee
        776e53fe ntdll!RtlAllocateHeap+0x0000003e
        6ba1dcff MSVCR110!malloc+0x00000049
        699361de igCore19d!AF_memm_alloc+0x0000001e
        69920475 igCore19d!IG_cpm_profiles_reset+0x00005665
        6991c4f2 igCore19d!IG_cpm_profiles_reset+0x000016e2
        6991fb42 igCore19d!IG_cpm_profiles_reset+0x00004d32
        6991f628 igCore19d!IG_cpm_profiles_reset+0x00004818
        69919990 igCore19d!IG_gctrl_item_set+0x00005bc0
        699290c6 igCore19d!IG_cpm_profiles_reset+0x0000e2b6
        69a2c79d igCore19d!IG_mpi_page_set+0x000f0a4d
        69a2bb32 igCore19d!IG_mpi_page_set+0x000efde2
        69a2b5aa igCore19d!IG_mpi_page_set+0x000ef85a
        699110d9 igCore19d!IG_image_savelist_get+0x00000b29
        69950557 igCore19d!IG_mpi_page_set+0x00014807
        6994feb9 igCore19d!IG_mpi_page_set+0x00014169
        698e5777 igCore19d!IG_load_file+0x00000047
        00498a3a Fuzzme!fuzzme+0x0000004a [C:\Users\etach\Documents\work\gitlab\ImageGear\Fuzzme\Fuzzme.cpp @ 282]
        00498e36 Fuzzme!main+0x00000376 [C:\Users\etach\Documents\work\gitlab\ImageGear\Fuzzme\Fuzzme.cpp @ 477]
        004daa53 Fuzzme!invoke_main+0x00000033 [d:\agent\_work\57\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78]
        004da8a7 Fuzzme!__scrt_common_main_seh+0x00000157 [d:\agent\_work\57\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
        004da73d Fuzzme!__scrt_common_main+0x0000000d [d:\agent\_work\57\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 331]
        004daad8 Fuzzme!mainCRTStartup+0x00000008 [d:\agent\_work\57\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp @ 17]
        763afa29 KERNEL32!BaseThreadInitThunk+0x00000019
        777076b4 ntdll!__RtlUserThreadStart+0x0000002f
        77707684 ntdll!_RtlUserThreadStart+0x0000001b
    

The count value is directly read from the file from the icc curv tag data of the PSD file. An adequate value chosen for the count leads to the integer overflow, which in turn leads to allocating a very small buffer which can lead to an out-of-bounds write. Note that the contents written out of bounds are read from the file and are thus under the attacker’s control.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Write
    
        Key  : Analysis.CPU.mSec
        Value: 3233
    
        Key  : Analysis.DebugAnalysisProvider.CPP
        Value: Create: 8007007e on DESKTOP-4DAOCFH
    
        Key  : Analysis.DebugData
        Value: CreateObject
    
        Key  : Analysis.DebugModel
        Value: CreateObject
    
        Key  : Analysis.Elapsed.mSec
        Value: 34473
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 187
    
        Key  : Analysis.System
        Value: CreateObject
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 975007
    
        Key  : Timeline.Process.Start.DeltaSec
        Value: 197
    
        Key  : WER.OS.Branch
        Value: vb_release
    
        Key  : WER.OS.Timestamp
        Value: 2019-12-06T14:06:00Z
    
        Key  : WER.OS.Version
        Value: 10.0.19041.1
    
        Key  : WER.Process.Version
        Value: 1.0.1.1
    
    
    ADDITIONAL_XML: 1
    
    OS_BUILD_LAYERS: 1
    
    NTGLOBALFLAG:  2100000
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APPLICATION_VERIFIER_LOADED: 1
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 699204fd (igCore19d!IG_cpm_profiles_reset+0x000056ed)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 0dc6d000
    Attempt to write to address 0dc6d000
    
    FAULTING_THREAD:  0000dfa0
    
    PROCESS_NAME:  Fuzzme.exe
    
    WRITE_ADDRESS:  0dc6d000 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  00000001
    
    EXCEPTION_PARAMETER2:  0dc6d000
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0019f370 6991c4f2     0019f38c 0c25aff8 0f092f94 igCore19d!IG_cpm_profiles_reset+0x56ed
    0019f428 6991fb42     0f092f94 0000000e 72545243 igCore19d!IG_cpm_profiles_reset+0x16e2
    0019f4d8 6991f628     0f092f94 0000000e 72545243 igCore19d!IG_cpm_profiles_reset+0x4d32
    0019f510 69919990     00000000 00000004 1000001f igCore19d!IG_cpm_profiles_reset+0x4818
    0019f538 699290c6     1000001f 0f092dd0 00000230 igCore19d!IG_gctrl_item_set+0x5bc0
    0019f550 69a2c79d     0c1d0f40 0f092dd0 00000230 igCore19d!IG_cpm_profiles_reset+0xe2b6
    0019f614 69a2bb32     0019fb30 1000001e 09468f60 igCore19d!IG_mpi_page_set+0xf0a4d
    0019f650 69a2b5aa     0019fb30 0019f678 0019f6a0 igCore19d!IG_mpi_page_set+0xefde2
    0019faa8 699110d9     0019fb30 0946cfe0 00000001 igCore19d!IG_mpi_page_set+0xef85a
    0019fae0 69950557     00000000 0946cfe0 0019fb30 igCore19d!IG_image_savelist_get+0xb29
    0019fd5c 6994feb9     00000000 054d4f88 00000001 igCore19d!IG_mpi_page_set+0x14807
    0019fd7c 698e5777     00000000 054d4f88 00000001 igCore19d!IG_mpi_page_set+0x14169
    0019fd9c 00498a3a     054d4f88 0019fe0c 004801a4 igCore19d!IG_load_file+0x47
    0019fe14 00498e36     054d4f88 0019fe8c 004801a4 Fuzzme!fuzzme+0x4a
    0019fee4 004daa53     00000005 05414f20 0541df20 Fuzzme!main+0x376
    0019ff04 004da8a7     c4e97d5b 004801a4 004801a4 Fuzzme!invoke_main+0x33
    0019ff60 004da73d     0019ff70 004daad8 0019ff80 Fuzzme!__scrt_common_main_seh+0x157
    0019ff68 004daad8     0019ff80 763afa29 00224000 Fuzzme!__scrt_common_main+0xd
    0019ff70 763afa29     00224000 763afa10 0019ffdc Fuzzme!mainCRTStartup+0x8
    0019ff80 777076b4     00224000 a834ca50 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77707684     ffffffff 7772742d 00000000 ntdll!__RtlUserThreadStart+0x2f
    0019ffec 00000000     004801a4 00224000 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  igCore19d!IG_cpm_profiles_reset+56ed
    
    MODULE_NAME: igCore19d
    
    IMAGE_NAME:  igCore19d.dll
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF_c0000005_igCore19d.dll!IG_cpm_profiles_reset
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x86
    
    OSNAME:  Windows 10
    
    IMAGE_VERSION:  19.9.0.0
    
    FAILURE_ID_HASH:  {749e662e-5382-aab8-f02d-cecd73653ce6}
    
    Followup:     MachineOwner
    ---------
    

**Timeline**

2021-03-16 - Vendor Disclosure

2021-05-31 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2021-21795: TALOS-2021-1264 || Cisco Talos Intelligence Group

Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Processors Software Developer Guidance Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® Processors may allow information disclosure.  Intel is releasing updated software developer prescriptive guidance to address these potential vulnerabilities.

**Vulnerability Details:**

CVEID:  CVE-2021-0086

Description: Observable response discrepancy in floating-point operations for some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2021-0089

Description: Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

All Intel® Processor families.

**Recommendations:**

For CVE-2021-0086  Intel recommends that affected software including web browser JavaScript engine that runs on Intel® Processors follow one of the below guidelines: 

•       Process isolation.

•       Use alternatives to NaN-boxing techniques (eg. Dedicated type tag).

•       Constraining FP results before potential type-confused usage.

Additional technical details can be found here.

For CVE-2021-0089 Intel recommends that affected software that runs on Intel® Processors follow one of the below guidelines:

•       Process isolation.

•       Place serializing operations between code gen and execution.

•       Place LFENCE-semantic operations between code gen and execution.

•       Options include LFENCE, SYSCALL/SYSRET

Additional technical details can be found here.

**Acknowledgements:**

Intel would like to thank Enrico Barberis, Hany Ragab, Herbert Bos, and Cristiano Giuffrida from the VUSec group at VU Amsterdam for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/08/2021

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-0089: INTEL-SA-00516

Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2021.1 IPU – BIOS Advisory**

Intel ID:

INTEL-SA-00463

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Denial of Service

Severity rating:

HIGH

Original release:

06/08/2021

Last revised:

06/08/2021

**Summary: **

Potential security vulnerabilities in the BIOS firmware for some Intel® Processors may allow escalation of privilege or denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2020-12357

Description: Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-8670

Description: Race condition in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-8700

Description: Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-12359

Description: Insufficient control flow management in the firmware for some Intel(R) Processors may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 7.1 High

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-12358

Description: Out of bounds write in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

CVEID: CVE-2021-0095

Description: Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVEID: CVE-2020-12360

Description: Out of bounds read in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 5.6 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2020-24486

Description: Improper input validation in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 5.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

**Affected Products:**

·       2nd Generation Intel® Xeon® Scalable Processors

·       Intel® Xeon® Scalable Processors

·       Intel® Xeon® Processor D Family

·       Intel® Xeon® Processor E Family

·       Intel® Xeon® Processor E7 v4 Family

·       Intel® Xeon® Processor E3 v6 Family

·       Intel® Xeon® Processor E3 v5 Family

·       Intel® Xeon® Processor E5 v4 Family

·       Intel® Xeon® Processor E5 v3 Family

·       Intel® Xeon® Processor W Family

·       Intel® Core™ Processors with Intel® Hybrid Technology

·       11th Generation Intel® Core™ Processors

·       10th Generation Intel® Core™ Processors

·       8th Generation Intel® Core™ Processors

·       7th Generation Intel® Core™ Processors

·       6th Generation Intel® Core™ processors

·       Intel® Core™ X-series Processors

**Recommendations:**

Intel recommends that users of the affected products update to the latest firmware version provided by the system manufacturer that addresses these issues.

**Acknowledgements:**

Intel would like to thank NVIDIA Product Security Team (CVE-2020-24486) and Intel employee Hareesh Khattri (CVE-2020-12357) for their reports.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/08/2021

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2020-8700: INTEL-SA-00463

An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free, related to an xfrm_state_fini panic, aka CID-dbb2483b2a46.

CVE-2019-25045

In FreeBSD 13.0-STABLE before n245764-876ffe28796c, 12.2-STABLE before r369857, 13.0-RELEASE before p1, and 12.2-RELEASE before p7, a system call triggering a fault could cause SMAP protections to be disabled for the duration of the system call. This weakness could be combined with other kernel bugs to craft an exploit.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:11.smap Security Advisory The FreeBSD Project Topic: SMAP bypass Category: core Module: amd64 Announced: 2021-05-26 Credits: I lost my dog if you see him please contact me at @m00nbsd. Affects: FreeBSD 12.2 and later. Corrected: 2021-05-26 19:18:54 UTC (stable/13, 13.0-STABLE) 2021-05-26 19:31:50 UTC (releng/13.0, 13.0-RELEASE-p1) 2021-05-26 19:30:31 UTC (stable/12, 12.2-STABLE) 2021-05-26 20:40:20 UTC (releng/12.2, 12.2-RELEASE-p7) CVE Name: CVE-2021-29628 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Supervisor Mode Access Prevention (SMAP) is a security feature implemented by contemporary Intel and AMD CPUs. When enabled, it ensures that accesses to user memory by the kernel trigger a page fault and a subsequent kernel panic. This helps mitigate the security implications of kernel bugs that permit an attacker to read from or write to user memory from the kernel. The kernel may legitimately need to copy data between userspace and the kernel. To enable this, SMAP is temporarily disabled in the subroutines which handle this copying, so only small, specially designated portions of the kernel should be executed with SMAP disabled. II. Problem Description The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses. Such subroutines must handle page faults triggered when user memory is not mapped. The kernel's page fault handler checks the validity of the fault, and if it is indeed valid it will map a page and resume copying. If the fault is invalid, the fault handler returns control to a trampoline which aborts the operation and causes an error to be returned. In this second scenario, a bug in the implementation of SMAP support meant that SMAP would remain disabled until the thread returns to user mode. III. Impact This bug may be used to bypass the protections provided by SMAP for the duration of a system call. It could thus be combined with other kernel bugs to craft an exploit. IV. Workaround No workaround is available. On hardware that does not implement SMAP, the bug is inconsequential as the mitigation does not exist in the first place. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-21:11/smap.patch # fetch https://security.FreeBSD.org/patches/SA-21:11/smap.patch.asc # gpg --verify smap.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 876ffe28796c stable/13-n245764 releng/13.0/ f32130a1955e releng/13.0-n244739 stable/12/ r369857 releng/12.2/ r369863 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmCu6vIACgkQ05eS9J6n 5cJagg//Yy30r/Dq2rgoY7p31CoF/jXDDqNEhqyJTcWoDY2M5THXBficHxWW68lE YLfndQRgz4oT7QNgxgnW0PYa0iHLiNFxZoI8lOcILpvHereXy0gEvLVPCstY7NY9 +jZnY7seLfSH+Y+VS5sjXbveMSMxovKzpp1rOrHVxJK7YeGY7YDqsK9pQ8Jk+4pE XlhOvhugL0qE4Fxj4qI5ClGmqDvyNXxlGWWwVtzZV2jYN1bdmZ0g88+HgJI1FcUr E2KIk1XwVidhQC8GJk9v7D/Bg4nYdq59Dozv4tu9IFfPkV+xl3qbgtXN5qJ0bp+u Y3NCEgq8Aoz60Xebulw1XBfvJFkLqUEthenYKtMSc9hN+QgAM9c9eQreRawTNezK aUSl+hUt9D6oVHh1Ki+OIhAgF+pAKN+7ARfcn2Ot57/TNbO1T9/C5mMd/hhQOkyj wJwj3nSLkUVQTNR9ntyyIj44XFRijtzG4foAJDuozfzC+hD82jSgXpCGnLwH6Gyx n0yIM1LbDZWrvAJ9W+uQmGJ1nv12Tzt24cDCSQ+zJjuTNfCso3bQ9b/IrXomBAwp waYpEOujzjaM7XdI9F4vb69XGX9mbKO67MoXgwlVowaRvVUBM0jAkaRo1gknF1sO CXLuogbOomTHcutlBsXtF0FBphLFx7YA8w4jtWnjnFW7wBzZ5dQ= =/4r7 -----END PGP SIGNATURE-----

Tag

#intel