Multitudes of software packages that make use of the ICU Project C/C++ and Java libraries may need to update after a pair of memory-based vulnerabilities were discovered and subsequently patched.
Version 55.1 of the ICU Project ICU4C library, released yesterday, addresses separate heap-based buffer overflow and integer overflow bugs in versions 52 through 54. Older versions of the library could also be affected, said researcher Pedro Ribeiro of Agile Information Security, who discovered the vulnerabilities while fuzzing LibreOffice, one of the numerous open source and enterprise software packages that are built using the library.
The ICU library lives in hundreds of software packages and embedded systems, including smart televisions, browsers and the Android operating system.
“At this point in time, I haven’t established whether these vulnerabilities can be manipulated in order to mount an attack on the affected software,” Ribeiro told Threatpost. “If this can be exploited, then in the LibreOffice example, it could be exploited by a malicious, crafted file. For other affected software,
like the Chrome browser or the Android OS, it is hard to say – again it depends on how the library is used.”
Ribeiro said the ICU library is used in different ways. LibreOffice, for example, calls the system’s ICU library, while Chrome, for example, embeds ICU code in the software.
“This malicious crafted file could then deliver a payload that would execute as the user running LibreOffice and escalate its privileges to administrator,” Ribeiro said. “This can have a very high impact in an organization, as this is the way an APT attack works.
“Other software packages might be exploited in different ways,” Ribeiro said. “Chrome for example via a crafted webpage, although again this has not been determined yet.”
The DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University yesterday issued an advisory warning organizations about the vulnerabilities. Of the heap-based buffer overflow (CVE-2014-8146), CERT said that multiple out-of-bounds writes could occur in the resolveImplicitLevels function of ubidi.c. With the integer overflow bug, CERT warns that the condition may occur also in the same function because an int32 value is assigned to an int16 type.
“An attacker may be able to provide input that triggers one or both overflow vulnerabilities,” the CERT advisory said, “leading to denial of service and the possibility of code execution.”
CERT also provided a long list of products that make use of the ICU library; as of this morning only the FreeBSD Project and ICU Project have acknowledged being affected. The remaining products are listed as unknown.
“Time will tell whether this is simply a memory corruption bug or something can be exploited,” Ribeiro said. “However given the impact in ICU I expect it to get a lot of attention.”