Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

The LZO/LZ4 Integer Overflow Summary

Disclosure Date: July 03, 2014
CVE-2014-4611
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the lz4_uncompress function in lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit platforms might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run that would be improperly handled by programs not complying with an API limitation, a different vulnerability than CVE-2014-4715.

Add Assessment

2
Technical Analysis

On Jun 26th, Don A. Bailey of Security Mouse published a blog detailing an integer overflow within
the LZO algorithm, specifically the LZ4 variant. The writeup can be found here:

http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html

PoC Example (Windows 32-bit):

#include "lz4.h"

char output[20<<20];
char input[20<<20];
int main(int argc, char* argv[]) {
  input[0] = 0x0F;
  input[1] = 0x00;
  input[2] = 0x00;
  for(int i = 3; i < 16800000; i++)
    input[i] = 0xff;
  LZ4_uncompress(input, output, 20<<20);
  return 0;
}

The LZ4 algorithm is vulnerable but in the real world no implementations are because either the
necessary vulnerable conditions aren’t dialed in correctly, or there is something else in place
(in the software or by operating system) that prevents the bug from exploitation. The flaw
requires the following conditions:

  • Must be in a 32-bit environment, which means all servers are safe from this issue.
  • The attacker need to forge a special compressed block to overflow a 32-bit address space and
    cause the decoding process to overflow, but it can only be done if the compressed block is
    something like 16MB or more. Some real-world implementations:
    * Legacy LZ4 file format is limited to 8MB, newer format is at 4MB.
    * ZFS = 128KB
    * zram = 4KB
    * Linux kernel = 8MB (uses LZ4 legacy)
    * Antivirus unpacking uses the official documented LZ4 (4MB max, 8MB if legacy format)
    * The latest lzo.c in FFmpeg is set at (10*1024*1024) + 16 (that’s 10MB + 16 bytes), and is allocated
    on the heap. However, matroskadec.c uses av_lzo1x_decode() with its own implementation and as
    far as I can tell there is no hard size limit.
  • The attack is most likely local

From the attacker’s perspective, it’s difficult to find apps out there that are actually vulnerable,
because so far we have not found one that exceeds 10MB, and we need something like 16MB. It’s even
more difficult to find them exploitable because of other memory corruption mitigations supported by
modern operating systems.

The fix in LZ4 can be found here (there is also a testing tool in fuzz.c):
https://github.com/Cyan4973/lz4/commit/da5373197e84ee49d75b8334d4510689731d6e90

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

Products

References

Canonical
CVE-2014-4611 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4611)
Advisory
[oss-security] 20140626 LMS-2014-06-16-5: Linux Kernel LZ4 (http://www.openwall.com/lists/oss-security/2014/06/26/24)
https://code.google.com/p/lz4/source/detail?r=118
openSUSE-SU-2014:0924 (http://lists.opensuse.org/opensuse-updates/2014-07/msg00025.html)
SECUNIA-60238 (http://secunia.com/advisories/60238)
SECTRACK-1030491 (http://www.securitytracker.com/id/1030491)
SECUNIA-59770 (http://secunia.com/advisories/59770)
SECUNIA-59567 (http://secunia.com/advisories/59567)
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=206204a1162b995e2185275167b22468c00d6b36
https://github.com/torvalds/linux/commit/206204a1162b995e2185275167b22468c00d6b36
https://code.google.com/p/lz4/issues/detail?id=52
[hadoop-common-issues] 20210916 [jira] [Updated] (HADOOP-17917) Backport HADOOP-15993 to branch-3.2 which Address CVE-2014-4611 (https://lists.apache.org/thread.html/rb301598bf24ecb6f4ce405c2a2ae23905fc4dce64277c020fc3883e5@%3Ccommon-issues.hadoop.apache.org%3E)
[hadoop-common-dev] 20210916 [jira] [Created] (HADOOP-17917) Backport HADOOP-15993 to branch-3.2 which Address CVE-2014-4611 (https://lists.apache.org/thread.html/r0038b5836e3bc91af3ff93721c0fc55d6543afab8cec47df7361fa0e@%3Ccommon-dev.hadoop.apache.org%3E)
[hadoop-common-issues] 20210916 [jira] [Created] (HADOOP-17917) Backport HADOOP-15993 to branch-3.2 which Address CVE-2014-4611 (https://lists.apache.org/thread.html/ra72a62803eeabb6a8dc65032ca81b13ab75c271e4dff2df27c2915bb@%3Ccommon-issues.hadoop.apache.org%3E)
[hadoop-common-issues] 20210920 [jira] [Updated] (HADOOP-17917) Backport HADOOP-15993 to branch-3.2 which Address CVE-2014-4611 (https://lists.apache.org/thread.html/r62f398f40f522cf59cfd89428835d4ca633a9764d82e4b7a12c37add@%3Ccommon-issues.hadoop.apache.org%3E)
[hadoop-common-issues] 20210920 [jira] [Commented] (HADOOP-17917) Backport HADOOP-15993 to branch-3.2 which Address CVE-2014-4611 (https://lists.apache.org/thread.html/r6c998e1a47c1c3fba61a80d0dcc4b39c7fc452400c7051f685b76c0b@%3Ccommon-issues.hadoop.apache.org%3E)
[hadoop-common-issues] 20210921 [jira] [Updated] (HADOOP-17917) Backport HADOOP-15993 to branch-3.2 which Address CVE-2014-4611 (https://lists.apache.org/thread.html/r35b9f26c8ad91094d37bea0256012aeb065e32ff73dda5f934fefeb3@%3Ccommon-issues.hadoop.apache.org%3E)
[hadoop-common-issues] 20210921 [jira] [Commented] (HADOOP-17917) Backport HADOOP-15993 to branch-3.2 which Address CVE-2014-4611 (https://lists.apache.org/thread.html/r8e0111cd64a455b0a33ab12a50fba724a0218f283c759f16da8864c2@%3Ccommon-issues.hadoop.apache.org%3E)
[hadoop-common-issues] 20210921 [jira] [Comment Edited] (HADOOP-17917) Backport HADOOP-15993 to branch-3.2 which Address CVE-2014-4611 (https://lists.apache.org/thread.html/r31eb601a8415525fa4a77b2f624c09be3550599898468ab96d508f90@%3Ccommon-issues.hadoop.apache.org%3E)
[hadoop-common-commits] 20210924 [hadoop] branch branch-3.2.3 updated: HADOOP-17917. Backport HADOOP-15993 to branch-3.2 which address CVE-2014-4611. Contributed by Brahma Reddy Battula. (https://lists.apache.org/thread.html/r6794c8ff8f339d95a80415b0afbe71d5eda1b97bdaca19bec78d0f8f@%3Ccommon-commits.hadoop.apache.org%3E)
[hadoop-common-issues] 20210924 [jira] [Updated] (HADOOP-17917) Backport HADOOP-15993 to branch-3.2 which address CVE-2014-4611 (https://lists.apache.org/thread.html/r5c9b4826bbd8933e4688db62f6ed9008cabb8f26bcea84d4e309caf7@%3Ccommon-issues.hadoop.apache.org%3E)
[hadoop-common-commits] 20210924 [hadoop] branch branch-3.2 updated: HADOOP-17917. Backport HADOOP-15993 to branch-3.2 which address CVE-2014-4611. Contributed by Brahma Reddy Battula. (https://lists.apache.org/thread.html/r229456b1fa718e329232bd7ceca4bd3e81ac55f2ec4db7314f1d7fcb@%3Ccommon-commits.hadoop.apache.org%3E)
[hadoop-common-issues] 20210924 [jira] [Commented] (HADOOP-17917) Backport HADOOP-15993 to branch-3.2 which address CVE-2014-4611 (https://lists.apache.org/thread.html/rf4cb13d6ee891dfe2307389c8c6594a0cb10d9efb72be8bd2f97cb76@%3Ccommon-issues.hadoop.apache.org%3E)
[hadoop-common-issues] 20210928 [jira] [Commented] (HADOOP-17917) Backport HADOOP-15993 to branch-3.2 which address CVE-2014-4611 (https://lists.apache.org/thread.html/r0addc410fdd680330054deb526323edb29e869e8d1097593f538e208@%3Ccommon-issues.hadoop.apache.org%3E)
Miscellaneous
https://code.google.com/p/lz4/issues/detail?can=1&start=0&num=100&q=&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary&groupby=&sort=&id=52
https://github.com/Cyan4973/lz4/commit/da5373197e84ee49d75b8334d4510689731d6e90
http://fastcompression.blogspot.com/2014/06/debunking-lz4-20-years-old-bug-myth.html
https://www.virustotal.com/en/file/173015c7e9056873a7b7062fa1950828e9686e67dc5359e2f837fafad7853298/analysis/1403815077
http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
http://pastebin.com/kG3AsUKP
RedHat (https://bugzilla.redhat.com/show_bug.cgi?id=1112436)
kernel.org (http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.2)
https://www.securitymouse.com/lms-2014-06-16-6
http://twitter.com/djrbliss/statuses/485042901399789568
http://twitter.com/djrbliss/statuses/484931749013495809
http://fastcompression.blogspot.fr/2014/06/debunking-lz4-20-years-old-bug-myth.html
https://www.securitymouse.com/lms-2014-06-16-5

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis