This release fixes the following security issue:
-
Fix stack overflow in POP3 analyzer
bb3250cThanks to Matteo Rizzo (Google) for reporting this issue.
Impact: An attacker can crash Zeek remotely via crafted packet sequence.
Affected versions: All versions since at least late 2010 and possibly earlier.
POP3Analyzer parses the POP3 protocol. The affected code processes AUTH_PLAIN
authentication requests, in which the client authenticates to the server by
sending its credentials to the server as base64-encoded plaintext. Zeek
allocates a variable length array (VLA) on the stack that is as big as the
credentials sent by the client. GCC implements VLA allocation by subtracting
the size of the VLA from the stack pointer. When the credentials sent by the
client are larger than the available stack space, the stack pointer lands
into the unmapped memory that the OS places above the stack. When that
happens, the call to memcpy immediately below causes Zeek to crash with a
segmentation fault because the destination address now points to unmapped
memory. An attacker can crash Zeek by sending a very long credential line.This class of bug is normally turned into a memory corruption primitive by
moving the stack pointer into a writable region (for example a library) and
overwriting that region. However in this case it is not possible to move the
stack pointer far enough because ContentLineAnalyzer limits the length of the
credentials to slightly less than 16MiB by default. Therefore it should not
be possible to gain remote code execution using this bug, but only to crash
Zeek.
Also fixed are the following bugs:
-
Fix use-after-free in Zeek lambda functions with uninitialized locals
#845 -
Fix buffer overflow due to tables/records created at parse-time not rebuilt on record
redef
#860 -
Fix SMB NegotiateContextList parsing
#869 -
Fix binpac flowbuffer frame length parsing doing too much bounds checking
#873 -
Fix parsing ERSPAN III optional sub-header
42dc290 -
Fix bug in intel indicator normalization
#883 -
Fix connection duration thresholding
#899 -
Fix using patterns as table/set indices
#902 -
Fix
X509Common.hheader include for external plugins
c835672 -
Fix incorrect targeting of node-specific Broker/Cluster messages
ce9183a
zeek/broker@0d04bf4
Reminder: Zeek 3.0.x is the Long-Term Support release, receiving bug fixes until at least October 2020 while Zeek 3.1.x is the current feature release, receiving bug fixes until approximately July 2020 when the 3.2.x release series begins.