Advisory ID: ZPE-NG-2024-002
First Published: August 9, 2024
CVE ID: CVE-2024-37407 (details on NIST.gov)
CVSSv3 Score: 9.1 (Critical)
CVE ID: CVE-2024-26256 (details on NIST.gov)
CVSSv3 Base Score: 7.8 (High)
Summary
Libarchive allows out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled.
Libarchive’s RAR E8 filter allows heap-based buffer overflow.
Affected Nodegrid OS Versions
- 3.2.0 to 3.2.56 (EOL)
- 4.2.0 to 4.2.17 (EOL)
- 5.0.0 to 5.0.18 (EOL)
- 5.2.0 to 5.2.20 (EOL)
- 5.4.0 to 5.4.17 (EOL)
- 5.6.0 to 5.6.14 (EOL)
- 5.8.0 to 5.8.19 (LTS)
- 5.10.0 to 5.10.15 (Stable)
- 6.0.0 to 6.0.11 (LTS)
Nodegrid OS is used in the following products:
- Nodegrid Serial Console
- Nodegrid Serial Console Plus
- Nodegrid Net Services Router
- Nodegrid Gate SR
- Nodegrid Link SR
- Nodegrid Bold SR
- Nodegrid Hive SR
- Nodegrid Mini SR
- Nodegrid Manager
- Nodegrid Virtual Services Router
Impact
These vulnerabilities could lead to denial of service or arbitrary code execution in the context of the application using libarchive.
However, this can only be exploited if an authenticated user uses a ZIP or RAR file from untrusted sources with one of these applications:
- bsdcat
- bsdunzip
- opkg
- osinfo-db-export
- osinfo-db-import
Mitigations
Avoid extracting ZIP and RAR archives received from untrusted sources.
Solutions
For users using Nodegrid version 6.0:
Upgrade to Nodegrid OS version 6.0.12 or above.
For users using Nodegrid version 5.10:
Upgrade to Nodegrid OS version 5.10.16 or above.
For users using Nodegrid 5.8, an interim solution involving installation of a package to update libarchive on latest supported versions as described in the accompanying README.txt as available to customers via Sharefile:
Upgrade to Nodegrid OS version 5.8.20 or above when available.
References