430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Cisco Talos discovered 2 critical flaws in the popular OpenCV library

Maintainers of the OpenCV library addressed two buffer overflow flaws that could lead to arbitrary code execution. Maintainers of the OpenCV library addressed two high-severity buffer overflow vulnerabilities that could be exploited by an attacker to execute arbitrary code. OpenCV (Open Source Computer Vision Library) is an open-source library of programming functions mainly aimed at […]

openCV

Maintainers of the OpenCV library addressed two buffer overflow flaws that could lead to arbitrary code execution.

Maintainers of the OpenCV library addressed two high-severity buffer overflow vulnerabilities that could be exploited by an attacker to execute arbitrary code.

OpenCV (Open Source Computer Vision Library) is an open-source library of programming functions mainly aimed at real-time computer vision.

The library is used by major tech companies, including Google, Microsoft, Intel, IBM, Yahoo, Sony, Honda, Toyota, and others for the development of facial recognition technology, robotics, motion tracking, and other solutions. OpenCV works on major OSs, including Windows, Linux, Android and Mac OS.

Researchers at Cisco Talos have discovered two buffer overflow vulnerabilities in OpenCV version 4.1.0 tracked as CVE-2019-5063 (CVSS score 8.8) and CVE-2019-5064 (CVSS score 8.8).

Both vulnerabilities were reported to the vendor in July 2019.

openCV

The CVE-2019-5063 is a heap buffer overflow vulnerability that exists in the data structure persistence functionality of OpenCV 4.1.0. The functionality allows developers to write and retrieve OpenCV data structures to/from a file on disk, the flaw could be exploited by an attacker by using specially crafted XML files containing “a potential character entity reference, when the ampersand is encountered, the API will continue to digest alphanumeric characters until a semicolon is encountered. If the string does not match one of the strings in the switch statement, the data is instead copied to a buffer as is.”

“Cisco Talos recently discovered two buffer overflow vulnerabilities in the OpenCV libraries. An attacker could potentially exploit these bugs to cause heap corruptions and potentially code execution. Intel Research originally developed OpenCV in 1999, but it is currently maintained by the non-profit organization OpenCV.org.” reads the advisory published by Cisco Talos.

“In accordance with our coordinated disclosure policy, Cisco Talos worked with OpenCV to ensure that these issues are resolved and that an update is available for affected customers.”

The CVE-2019-5064 vulnerability resides in the data structure persistence functionality of the same library and can be triggered by attackers using a specially crafted JSON file.

The experts explained that the flaw is triggered when parsing a JSON file containing a null byte, it is copied to the buffer. The library fails to check whether the JSON value will overflow the destination buffer.

“An exploitable heap buffer overflow vulnerability exists in the data structure persistence functionality of OpenCV, version 4.1.0. A specially crafted JSON file can cause a buffer overflow, resulting in multiple heap corruptions and potentially code execution.” reads the advisory. “An attacker can provide a specially crafted file to trigger this vulnerability.”

The OpenCV 4.2.0 version released at the end of December 2019 addressed the two buffer overflow vulnerabilities.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – library, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]