Maintainers of the OpenCV library addressed two buffer overflow flaws that could lead to arbitrary code execution.

Maintainers of the OpenCV library addressed two high-severity buffer overflow vulnerabilities that could be exploited by an attacker to execute arbitrary code.

OpenCV (Open Source Computer Vision Library) is an open-source library of programming functions mainly aimed at real-time computer vision.

The library is used by major tech companies, including Google, Microsoft, Intel, IBM, Yahoo, Sony, Honda, Toyota, and others for the development of facial recognition technology, robotics, motion tracking, and other solutions. OpenCV works on major OSs, including Windows, Linux, Android and Mac OS.

Researchers at Cisco Talos have discovered two buffer overflow vulnerabilities in OpenCV version 4.1.0 tracked as CVE-2019-5063 (CVSS score 8.8) and CVE-2019-5064 (CVSS score 8.8).

Both vulnerabilities were reported to the vendor in July 2019.

The CVE-2019-5063 is a heap buffer overflow vulnerability that exists in the data structure persistence functionality of OpenCV 4.1.0. The functionality allows developers to write and retrieve OpenCV data structures to/from a file on disk, the flaw could be exploited by an attacker by using specially crafted XML files containing “a potential character entity reference, when the ampersand is encountered, the API will continue to digest alphanumeric characters until a semicolon is encountered. If the string does not match one of the strings in the switch statement, the data is instead copied to a buffer as is.”

“Cisco Talos recently discovered two buffer overflow vulnerabilities in the OpenCV libraries. An attacker could potentially exploit these bugs to cause heap corruptions and potentially code execution. Intel Research originally developed OpenCV in 1999, but it is currently maintained by the non-profit organization OpenCV.org.” reads the advisory published by Cisco Talos.

“In accordance with our coordinated disclosure policy, Cisco Talos worked with OpenCV to ensure that these issues are resolved and that an update is available for affected customers.”

The CVE-2019-5064 vulnerability resides in the data structure persistence functionality of the same library and can be triggered by attackers using a specially crafted JSON file.

The experts explained that the flaw is triggered when parsing a JSON file containing a null byte, it is copied to the buffer. The library fails to check whether the JSON value will overflow the destination buffer.

“An exploitable heap buffer overflow vulnerability exists in the data structure persistence functionality of OpenCV, version 4.1.0. A specially crafted JSON file can cause a buffer overflow, resulting in multiple heap corruptions and potentially code execution.” reads the advisory. “An attacker can provide a specially crafted file to trigger this vulnerability.”

The OpenCV 4.2.0 version released at the end of December 2019 addressed the two buffer overflow vulnerabilities.

Pierluigi Paganini