All the vulnerabilites related to goToMain - libosdp
cve-2024-52288
Vulnerability from cvelistv5
Published
2024-11-11 19:10
Modified
2024-11-12 14:48
Severity ?
EPSS score ?
Summary
libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol) and provides a C library with support for C++, Rust and Python3. In affected versions an unexpected `REPLY_CCRYPT` or `REPLY_RMAC_I` may be introduced into an active stream when they should not be. Once RMAC_I message can be sent during a session, attacker with MITM access to the communication may intercept the original RMAC_I reply and save it. While the session continues, the attacker will record all of the replies and save them, till capturing the message to be replied (can be detected by ID, length or time based on inspection of visual activity next to the reader) Once attacker captures a session with the message to be replayed, he stops resetting the connection and waits for signal to perform the replay to of the PD to CP message (ex: by signaling remotely to the MIMT device or setting a specific timing). In order to replay, the attacker will craft a specific RMAC_I message in the proper seq of the execution, which will result in reverting the RMAC to the beginning of the session. At that phase - attacker can replay all the messages from the beginning of the session. This issue has been addressed in commit `298576d9` which is included in release version 3.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/goToMain/libosdp/security/advisories/GHSA-xhjw-7vh5-qxqm | x_refsource_CONFIRM | |
| https://github.com/goToMain/libosdp/commit/298576d9214b48214092eebdd892ec77be085e5a | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52288",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:48:07.852440Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:48:17.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libosdp",
"vendor": "goToMain",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol) and provides a C library with support for C++, Rust and Python3. In affected versions an unexpected `REPLY_CCRYPT` or `REPLY_RMAC_I` may be introduced into an active stream when they should not be. Once RMAC_I message can be sent during a session, attacker with MITM access to the communication may intercept the original RMAC_I reply and save it. While the session continues, the attacker will record all of the replies and save them, till capturing the message to be replied (can be detected by ID, length or time based on inspection of visual activity next to the reader) Once attacker captures a session with the message to be replayed, he stops resetting the connection and waits for signal to perform the replay to of the PD to CP message (ex: by signaling remotely to the MIMT device or setting a specific timing). In order to replay, the attacker will craft a specific RMAC_I message in the proper seq of the execution, which will result in reverting the RMAC to the beginning of the session. At that phase - attacker can replay all the messages from the beginning of the session. This issue has been addressed in commit `298576d9` which is included in release version 3.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-924",
"description": "CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T19:10:48.919Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goToMain/libosdp/security/advisories/GHSA-xhjw-7vh5-qxqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goToMain/libosdp/security/advisories/GHSA-xhjw-7vh5-qxqm"
},
{
"name": "https://github.com/goToMain/libosdp/commit/298576d9214b48214092eebdd892ec77be085e5a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goToMain/libosdp/commit/298576d9214b48214092eebdd892ec77be085e5a"
}
],
"source": {
"advisory": "GHSA-xhjw-7vh5-qxqm",
"discovery": "UNKNOWN"
},
"title": "RMAC revert to the beginning of the session in libosdp"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52288",
"datePublished": "2024-11-11T19:10:48.919Z",
"dateReserved": "2024-11-06T19:00:26.393Z",
"dateUpdated": "2024-11-12T14:48:17.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-52296
Vulnerability from cvelistv5
Published
2024-11-12 15:58
Modified
2024-11-19 17:01
Severity ?
EPSS score ?
Summary
libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol) and provides a C library with support for C++, Rust and Python3. At ospd_common.c, on the osdp_reply_name function, any reply id between REPLY_ACK and REPLY_XRD is valid, but names array do not declare all of the range. On a case of an undefined reply id within the range, name will be null (name = names[reply_id - REPLY_ACK];). Null name will casue a crash on next line: if (name[0] == '\0') as null[0] is invalid. As this logic is not limited to a secure connection, attacker may trigger this vulnerability without any prior knowledge. This issue is fixed in 2.4.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/goToMain/libosdp/security/advisories/GHSA-7945-5mcv-f2pp | x_refsource_CONFIRM | |
| https://github.com/goToMain/libosdp/commit/24409e98a260176765956ec766a04cb35984fab1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T17:01:45.739953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T17:01:59.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libosdp",
"vendor": "goToMain",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol) and provides a C library with support for C++, Rust and Python3. At ospd_common.c, on the osdp_reply_name function, any reply id between REPLY_ACK and REPLY_XRD is valid, but names array do not declare all of the range. On a case of an undefined reply id within the range, name will be null (name = names[reply_id - REPLY_ACK];). Null name will casue a crash on next line: if (name[0] == \u0027\\0\u0027) as null[0] is invalid. As this logic is not limited to a secure connection, attacker may trigger this vulnerability without any prior knowledge. This issue is fixed in 2.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:58:28.434Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goToMain/libosdp/security/advisories/GHSA-7945-5mcv-f2pp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goToMain/libosdp/security/advisories/GHSA-7945-5mcv-f2pp"
},
{
"name": "https://github.com/goToMain/libosdp/commit/24409e98a260176765956ec766a04cb35984fab1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goToMain/libosdp/commit/24409e98a260176765956ec766a04cb35984fab1"
}
],
"source": {
"advisory": "GHSA-7945-5mcv-f2pp",
"discovery": "UNKNOWN"
},
"title": "libosdp has a null pointer deref in osdp_reply_name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52296",
"datePublished": "2024-11-12T15:58:28.434Z",
"dateReserved": "2024-11-06T19:00:26.395Z",
"dateUpdated": "2024-11-19T17:01:59.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}