CVE-2020-14382Out-of-bounds Write in Project Cryptsetup

CWE-787Out-of-bounds Write9 documents8 sources
Severity
7.8HIGHNVD
EPSS
0.3%
top 48.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Cryptsetup Project CryptsetupCanonical Ubuntu LinuxFedoraproject Fedora+1 more
Timeline
PublishedSep 16
Latest updateMay 24

Description

A vulnerability was found in upstream release cryptsetup-2.2.0 where, there's a bug in LUKS2 format validation code, that is effectively invoked on every device/image presenting itself as LUKS2 container. The bug is in segments validation code in file 'lib/luks2/luks2_json_metadata.c' in function hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj) where the code does not check for possible overflow on memory allocation used for intervals array (see statement "intervals = malloc

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

Debiancryptsetup_project/cryptsetup< 2:2.3.4-1+3
CVEListV5cryptsetup_project/cryptsetupcryptsetup-2.2.0

Also affects: Fedora 31, 33, Ubuntu Linux 20.04, Enterprise Linux 8.0

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
GHSA
GHSA-v8mw-xqhr-2vqp: A vulnerability was found in upstream release cryptsetup-22022-05-24
CVEList
CVE-2020-14382: A vulnerability was found in upstream release cryptsetup-22020-09-16
OSV
CVE-2020-14382: A vulnerability was found in upstream release cryptsetup-22020-09-16

📋Vendor Advisories

3
Ubuntu
cryptsetup vulnerability2020-09-14
Red Hat
cryptsetup: Out-of-bounds write when validating segments2020-09-03
Debian
CVE-2020-14382: cryptsetup - A vulnerability was found in upstream release cryptsetup-2.2.0 where, there's a ...2020

💬Community

2
Bugzilla
CVE-2020-14382 cryptsetup: Out-of-bounds write when validating segments [fedora-all]2020-09-03
Bugzilla
CVE-2020-14382 cryptsetup: Out-of-bounds write when validating segments2020-09-02
CVE-2020-14382 — Out-of-bounds Write | cvebase