Microchip cryptoauthlib atcab_genkey_base buffer overflow
| CENSUS ID: | CENSUS-2020-0004 |
| CVE ID: | CVE-2019-16129 |
| Affected Products: | cryptoauthlib versions prior to "20191122" |
| Class: | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')(CWE-120) |
| Discovered by: | George Poulios |
CENSUS identified a buffer overflow vulnerability in the atcab_genkey_base function of the cryptoauthlib library. This library is part of the standard SDK provided by Microchip and is used to drive the operation of cryptographic co-processors sold by the vendor, such as the ATECC608A. An attacker with physical access to an embedded device where a microcontroller unit executes a vulnerable version of this library, may be able to execute arbitrary code on the microcontroller, by supplying malicious input to the microcontroller. Affected manufacturers of embedded systems that use Microchip cryptographic co-processors, are strongly recommended to update to at least version "20191122" of the "cryptoauthlib" library.
Microchip cryptoauthlib atcab_sign_base buffer overflow
| CENSUS ID: | CENSUS-2020-0003 |
| CVE ID: | CVE-2019-16128 |
| Affected Products: | cryptoauthlib versions prior to "20191122" |
| Class: | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')(CWE-120) |
| Discovered by: | George Poulios |
CENSUS identified a buffer overflow vulnerability in the atcab_sign_base function of the cryptoauthlib library. This library is part of the standard SDK provided by Microchip and is used to drive the operation of cryptographic co-processors sold by the vendor, such as the ATECC608A. An attacker with physical access to an embedded device where a microcontroller unit executes a vulnerable version of this library, may be able to execute arbitrary code on the microcontroller, by supplying malicious input to the microcontroller. Affected manufacturers of embedded systems that use Microchip cryptographic co-processors, are strongly recommended to update to at least version "20191122" of the "cryptoauthlib" library.
GDCM buffer overflow in ImageRegionReader :: ReadIntoBuffer
| CENSUS ID: | CENSUS-2016-0001 |
| CVE ID: | CVE-2015-8396 |
| Affected Products: | Applications using GDCM versions < 2.6.2 and the ImageRegionReader :: ReadIntoBuffer API call |
| Class: | Integer Overflow or Wraparound (CWE-190) |
| Discovered by: | Stelios Tsampas |
Grassroots DICOM (GDCM) is a C++ library for processing DICOM medical images. It provides routines to view and manipulate a wide range of image formats and can be accessed through many popular programming languages like Python, C#, Java and PHP. Various applications that make use of GDCM are listed here and here.
FreeBSD kernel NFS client local vulnerabilities
| CENSUS ID: | CENSUS-2010-0001 |
| CVE ID: | CVE-2010-2020 |
| Affected Products: | FreeBSD 8.0-RELEASE, 7.3-RELEASE, 7.2-RELEASE |
| Class: | Improper Input Validation (CWE-20) |
| Remote: | No |
| Discovered by: | Patroklos Argyroudis |
We have discovered two improper input validation vulnerabilities in the FreeBSD kernel’s NFS client-side implementation (FreeBSD 8.0-RELEASE, 7.3-RELEASE and 7.2-RELEASE) that allow local unprivileged users to escalate their privileges, or to crash the system by performing a denial of service attack.