Details of VAR-201402-0146

ID

VAR-201402-0146

CVE

CVE-2013-4738

TITLE

MSM For devices Qualcomm Innovation Center Android Used for contributions etc. Linux Kernel for MSM Buffer overflow vulnerability in camera driver

Trust: 0.8

sources: JVNDB: JVNDB-2013-005979

DESCRIPTION

Multiple stack-based buffer overflows in the MSM camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to gain privileges via (1) a crafted VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO ioctl call, related to drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c, or (2) a crafted VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO ioctl call, related to drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c. (1) drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c (2) drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.cAn attacker could gain privileges through the following items: (1) Cleverly crafted VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO ioctl call (2) Cleverly crafted VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO ioctl call. Android for MSM project is prone to multiple stack-based buffer-overflow vulnerabilities because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Local attackers can exploit these issues to run arbitrary code with elevated privileges. Failed exploit attempts will likely result in denial-of-service conditions. MSM camera driver for the Linux kernel is a Qualcomm platform camera driver project based on the Linux kernel. *Description* A stack-based buffer overflow and a kernel memory disclosure vulnerability have been discovered in the system call handlers of the camera driver. *CVE-2013-4738* The camera post processing engine (CPP) and video processing engine (VPE) provide an ioctl system call interface to user space clients for communication. When processing arguments passed to the VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO or VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO ioctl subdev handlers, a user space supplied length value is used to copy memory to a local stack buffer without proper bounds checking. An application with access to the respective device nodes can use this flaw to, e.g., elevate privileges. Access Vector: local Security Risk: high Vulnerability: CWE-121 (stack-based buffer overflow) *CVE-2013-4739* The Gemini JPEG encoder and the Jpeg1.0 common encoder/decoder engines of the camera driver are not properly initializing all members of a structure before copying it to user space. This allows a local attacker to obtain potentially sensitive information from kernel stack memory via ioctl system calls. Access Vector: local Security Risk: low Vulnerability: CWE-200 (information exposure) *Affected versions* All Android releases from CAF using a Linux kernel from the following heads: - msm-3.4 - jb_3* *Patch* We advise customers to apply the following patches: CVE-2013-4738: - https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=c9c81836ee44db9974007d34cf2aaeb1a51a8d45 - https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=28385b9c3054c91dca1aa194ffa750550c50f3ce CVE-2013-4739: - https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=8604847927f952cc8e773b97eca24e1060a570f2 *Credits* Reported by the researcher Jonathan Salwan and patched by Qualcomm Innovation Center

Trust: 2.16

sources: NVD: CVE-2013-4738 // JVNDB: JVNDB-2013-005979 // BID: 63263 // VULHUB: VHN-64740 // VULMON: CVE-2013-4738 // PACKETSTORM: 123704

AFFECTED PRODUCTS

vendor:	codeaurora	model:	android-msm	scope:	eq	version:	2.6.29	Trust: 1.6
vendor:	qualcomm	model:	quic mobile station modem kernel	scope:	eq	version:	3.4	Trust: 1.0
vendor:	android for msm	model:	android for msm	scope:	eq	version:	2.6.29	Trust: 0.8
vendor:	qualcomm	model:	quic mobile station modem	scope:	eq	version:	3.4	Trust: 0.8

sources: JVNDB: JVNDB-2013-005979 // CNNVD: CNNVD-201310-658 // NVD: CVE-2013-4738

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-4738
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-4738
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201310-658
value:	HIGH
Trust: 0.6
VULHUB:	VHN-64740
value:	HIGH
Trust: 0.1
VULMON:	CVE-2013-4738
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-4738
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-64740
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-64740 // VULMON: CVE-2013-4738 // JVNDB: JVNDB-2013-005979 // CNNVD: CNNVD-201310-658 // NVD: CVE-2013-4738

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-64740 // JVNDB: JVNDB-2013-005979 // NVD: CVE-2013-4738

THREAT TYPE

local

Trust: 0.9

sources: BID: 63263 // CNNVD: CNNVD-201310-658

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201310-658

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-005979

PATCH

title:	QCIR-2013-00008-1	url:	https://www.codeaurora.org/projects/security-advisories/stack-based-buffer-overflow-and-memory-disclosure-camera-driver-cve-2013-4738-cve-2013-4739	Trust: 0.8
title:	c9c81836ee44db9974007d34cf2aaeb1a51a8d45	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=47783	Trust: 0.6
title:	28385b9c3054c91dca1aa194ffa750550c50f3ce	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=47782	Trust: 0.6
title:	8604847927f952cc8e773b97eca24e1060a570f2	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=47781	Trust: 0.6

sources: JVNDB: JVNDB-2013-005979 // CNNVD: CNNVD-201310-658

EXTERNAL IDS

db:	NVD	id:	CVE-2013-4738	Trust: 3.0
db:	OPENWALL	id:	OSS-SECURITY/2013/10/15/4	Trust: 1.8
db:	BID	id:	63263	Trust: 1.1
db:	JVNDB	id:	JVNDB-2013-005979	Trust: 0.8
db:	CNNVD	id:	CNNVD-201310-658	Trust: 0.7
db:	MLIST	id:	[OSS-SECURITY] 20131015 REPORT - STACK-BASED BUFFER OVERFLOW AND MEMORY DISCLOSURE IN CAMERA DRIVER (CVE-2013-4748 CVE-2013-4739)	Trust: 0.6
db:	PACKETSTORM	id:	123704	Trust: 0.2
db:	VULHUB	id:	VHN-64740	Trust: 0.1
db:	VULMON	id:	CVE-2013-4738	Trust: 0.1

sources: VULHUB: VHN-64740 // VULMON: CVE-2013-4738 // BID: 63263 // JVNDB: JVNDB-2013-005979 // PACKETSTORM: 123704 // CNNVD: CNNVD-201310-658 // NVD: CVE-2013-4738

REFERENCES

url:	https://www.codeaurora.org/projects/security-advisories/stack-based-buffer-overflow-and-memory-disclosure-camera-driver-cve-2013-4748-cve-2013-4739	Trust: 1.8
url:	http://www.openwall.com/lists/oss-security/2013/10/15/4	Trust: 1.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4738	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4738	Trust: 0.8
url:	http://www.securityfocus.com/bid/63263	Trust: 0.7
url:	https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=28385b9c3054c91dca1aa194ffa750550c50f3ce	Trust: 0.4
url:	https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=c9c81836ee44db9974007d34cf2aaeb1a51a8d45	Trust: 0.4
url:	https://www.codeaurora.org/xwiki/bin/qaep/	Trust: 0.3
url:	https://www.codeaurora.org/projects/security-advisories/stack-based-buffer-overflow-and-memory-disclosure-camera-driver-cve-2013-4738-cve-2013-4739	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/119.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=8604847927f952cc8e773b97eca24e1060a570f2	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4739	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4738	Trust: 0.1

sources: VULHUB: VHN-64740 // VULMON: CVE-2013-4738 // BID: 63263 // JVNDB: JVNDB-2013-005979 // PACKETSTORM: 123704 // CNNVD: CNNVD-201310-658 // NVD: CVE-2013-4738

CREDITS

Jonathan Salwan of the Sysdream Security Lab

Trust: 0.9

sources: BID: 63263 // CNNVD: CNNVD-201310-658

SOURCES

db:	VULHUB	id:	VHN-64740
db:	VULMON	id:	CVE-2013-4738
db:	BID	id:	63263
db:	JVNDB	id:	JVNDB-2013-005979
db:	PACKETSTORM	id:	123704
db:	CNNVD	id:	CNNVD-201310-658
db:	NVD	id:	CVE-2013-4738

LAST UPDATE DATE

2024-11-23T22:31:20.802000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-64740	date:	2014-02-21T00:00:00
db:	VULMON	id:	CVE-2013-4738	date:	2014-02-21T00:00:00
db:	BID	id:	63263	date:	2013-10-15T00:00:00
db:	JVNDB	id:	JVNDB-2013-005979	date:	2014-02-05T00:00:00
db:	CNNVD	id:	CNNVD-201310-658	date:	2014-02-08T00:00:00
db:	NVD	id:	CVE-2013-4738	date:	2024-11-21T01:56:15.457

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-64740	date:	2014-02-03T00:00:00
db:	VULMON	id:	CVE-2013-4738	date:	2014-02-03T00:00:00
db:	BID	id:	63263	date:	2013-10-15T00:00:00
db:	JVNDB	id:	JVNDB-2013-005979	date:	2014-02-05T00:00:00
db:	PACKETSTORM	id:	123704	date:	2013-10-21T22:22:22
db:	CNNVD	id:	CNNVD-201310-658	date:	2013-10-15T00:00:00
db:	NVD	id:	CVE-2013-4738	date:	2014-02-03T03:55:03.690