Menu

5 CVEs found with Feedback-based Fuzzing

published 2020-05-18, written by Jonathan Reimer

In recent years, modern fuzzing (feedback-based fuzzing) has uncovered a large number of bugs and vulnerabilities, both in open source and commercial software Among others, over 18,000 bugs in Google Chrome, over 11,000 bugs in the Linux kernel and over 1,800 bugs in Microsoft Office, have been discovered by various fuzzing tools. This blog post lists 5 examples of vulnerabilities that have been found with fuzzing and recognized as CVE (Common Vulnerabilities and Exposures) by the Mitre Corporation.

 

1. Exposure of Sensitive Information in Microsoft Windows

Reference: CVE-2015-0061

Risk: Medium

Fuzzing tool: American Fuzzy Loop (AFL)

The vulnerability was reported by Michal Zalewski, director of Information Security Engineering at Google. Several Windows Servers, as well as Windows 7/8, did not properly initialize memory for TIFF images. This allowed attackers to remotely obtain sensitive information from the process memory.

 

2. Out-of-bounds Read in Intrusion Detection System Suricata 

Reference: CVE-2019-16411

Risk: Medium / High

Fuzzing tool: CI Fuzz

This bug was reported by Sirko Höer, IT Security Consultant at Code Intelligence GmbH. During sending multiple IPv4 packets with invalid IPv4Options a function tried to access a memory area that was not allocated. This means that the software tried to read data outside of the intended buffer. In an attack scenario, this can allow attackers to cause a crash or even read sensitive information from other memory locations. In total Sirko Höer found 12 CVEs in Suricata. You can read more about it here.

 

3. Carry Propagating Bug in OpenSSL

Reference: CVE-2017-3732

Risk: Medium

Fuzzing tool: OSS-Fuzz / libFuzzer

This issue was reported to OpenSSL by the Google OSS-Fuzz team. Carry propagation bugs mean that the developer failed to add every possible carry bit during a large integer addition or multiplication, which turns into an incorrect result. This vulnerability only appears in rare edge cases and therefore remains mostly unnoticed for a long time. A successful attack relying on this propagation bug can allow an attacker to recover encryption keys.

 

4. Memory Corruption in Adobe Reader

Reference: CVE-2016-6978

Risk: Critical

Fuzzing tool: American Fuzzy Loop (AFL)

The issue was reported by Trend Micro’s zero-day initiative. A memory corruption implicates that the application performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Therefore, the vulnerability allowed attackers to execute arbitrary code or cause a Denial-of-Service (DoS).

 

5. NULL Pointer Dereference in Barcode Generator ZINT

Reference: CVE-2020-9385

Risk: High

Fuzzing tool: CI Fuzz

The vulnerability was reported by Christian Hartlage, Fuzzing Engineer at Code Intelligence. A NULL Pointer dereference existed in the barcode generator library libzint because multiples “+” characters were mishandled in a function during the generation of EAN barcodes. This could typically cause a crash or an application exit. You can read an extended article about this CVE here.

 

If you are curious to learn more about the opportunities of smart fuzzing for security testing, we recommend you to take a look at our last webinar "CVE hunting with Fuzzing".

icons_Smart Bug Detection