Description
Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data. For example, a tape head may have an unexpected location after the processing of input composed of As and Bs (instead of 0s and 1s). NOTE: the discoverer states "this vulnerability has no real-world implications."
Affected Software
Related
{"id": "CVE-2021-32471", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-32471", "description": "Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data. For example, a tape head may have an unexpected location after the processing of input composed of As and Bs (instead of 0s and 1s). NOTE: the discoverer states \"this vulnerability has no real-world implications.\"", "published": "2021-05-10T05:15:00", "modified": "2021-05-19T18:40:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32471", "reporter": "cve@mitre.org", "references": ["https://github.com/intrinsic-propensity/turing-machine", "https://arxiv.org/abs/2105.02124"], "cvelist": ["CVE-2021-32471"], "immutableFields": [], "lastseen": "2022-03-23T18:23:10", "viewCount": 32, "enchantments": {"dependencies": {"references": [{"type": "githubexploit", "idList": ["D6D395AE-2DA8-5231-A901-B4C7DC4CF7D8"]}], "rev": 4}, "score": {"value": 5.5, "vector": "NONE"}, "twitter": {"counter": 11, "tweets": [{"link": "https://twitter.com/ipssignatures/status/1391741824268656645", "text": "(Same from about 4 hours ago.)\nI think that the most retweeted(81 times) tweet that contains CVE ID between May 9 2021 13:01 UTC and May 10 2021 13:00 UTC is:\n/CVEnew/status/1391630391304413184\nIt has CVE-2021-32471. /hashtag/l24_khc3b326dif3e?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1391741824268656645", "text": "(Same from about 4 hours ago.)\nI think that the most retweeted(81 times) tweet that contains CVE ID between May 9 2021 13:01 UTC and May 10 2021 13:00 UTC is:\n/CVEnew/status/1391630391304413184\nIt has CVE-2021-32471. /hashtag/l24_khc3b326dif3e?src=hashtag_click"}, {"link": "https://twitter.com/claudioluck/status/1392452057265750025", "text": "Sicherheitsloch im theoretisch einfachsten Computer \u00fcberhaupt (CVE-2021-32471).\n\nDer Entdecker \u201cdiskutiert die Frage, ob es sich sogar um ein grunds\u00e4tzliches Problem aller Computer handelt\u201c (Paper hier: https://t.co/0j2U0HUIGs?amp=1)"}, {"link": "https://twitter.com/Myinfosecfeed/status/1391768062198788099", "text": "New post: \"CVE-2021-32471 \u2013 Input validation in Marvin Minsky 1967 Turing Machine\""}, {"link": "https://twitter.com/numpad0/status/1391774583506673667", "text": "CVE-2021-32471 \u8349"}, {"link": "https://twitter.com/wilderko/status/1394699448878571521", "text": "Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data... :-) \n\nCVE - CVE-2021-32471 https://t.co/U3uB8ZzYDr?amp=1"}, {"link": "https://twitter.com/betterhn20/status/1391738336700682242", "text": "CVE-2021-32471 \u2013 Input validation in Marvin Minsky 1967 Turing Machine https://t.co/eBWDMlGV08?amp=1 (https://t.co/XvIs7TN8bf?amp=1)"}, {"link": "https://twitter.com/betterhn20/status/1391738336700682242", "text": "CVE-2021-32471 \u2013 Input validation in Marvin Minsky 1967 Turing Machine https://t.co/eBWDMlGV08?amp=1 (https://t.co/XvIs7TN8bf?amp=1)"}, {"link": "https://twitter.com/arvestad/status/1399418081835945992", "text": "Time to update your Turing machine. Zero-day exploit found. See CVE-2021-32471. Well done Pontus Johnsson finding this!\nhttps://t.co/0tEcVevtlU?amp=1"}, {"link": "https://twitter.com/techadversary/status/1409208038972563457", "text": "CVE-2021-32471 \u2013 Input validation in Marvin Minsky 1967 Turing Machine https://t.co/dZ4rlQhWJP?amp=1"}], "modified": "2021-05-20T07:25:26"}, "backreferences": {"references": [{"type": "githubexploit", "idList": ["D6D395AE-2DA8-5231-A901-B4C7DC4CF7D8"]}]}, "exploitation": null, "vulnersScore": 5.5}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:mit:universal_turing_machine:-"], "cpe23": ["cpe:2.3:a:mit:universal_turing_machine:-:*:*:*:*:*:*:*"], "cwe": ["CWE-20"], "affectedSoftware": [{"cpeName": "mit:universal_turing_machine", "version": "-", "operator": "eq", "name": "mit universal turing machine"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:mit:universal_turing_machine:-:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/intrinsic-propensity/turing-machine", "name": "https://github.com/intrinsic-propensity/turing-machine", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://arxiv.org/abs/2105.02124", "name": "https://arxiv.org/abs/2105.02124", "refsource": "MISC", "tags": ["Third Party Advisory"]}]}
{"attackerkb": [{"lastseen": "2022-06-15T19:59:25", "description": "Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data. For example, a tape head may have an unexpected location after the processing of input composed of As and Bs (instead of 0s and 1s). NOTE: the discoverer states \u201cthis vulnerability has no real-world implications.\u201d\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-32471", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32471"], "modified": "2021-05-20T00:00:00", "id": "AKB:7C287105-476D-4F02-B092-B7AA4A0C8A2E", "href": "https://attackerkb.com/topics/FTCohcOQ1P/cve-2021-32471", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-06-17T13:51:18", "description": "# Arbitrary Code Execution in the Universal Turing Machine\n\nThis...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-21T10:39:42", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Mit Universal Turing Machine", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32471"], "modified": "2022-06-17T07:20:54", "id": "D6D395AE-2DA8-5231-A901-B4C7DC4CF7D8", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}]}
CVE-2021-32471
