CVE-2023-4039 GCC's-fstack-protector fails to guard dynamically-sized local variables on AArch64

2023-09-1308:05:10

CWE-693

Arm

www.cve.org

cve-2023-4039

buffer overflow

aarch64

stack-protector

dynamic variables

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

5.8 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains
that target AArch64 allows an attacker to exploit an existing buffer
overflow in dynamically-sized local variables in your application
without this being detected. This stack-protector failure only applies
to C99-style dynamically-sized local variables or those created using
alloca(). The stack-protector operates as intended for statically-sized
local variables.

The default behavior when the stack-protector
detects an overflow is to terminate your application, resulting in
controlled loss of availability. An attacker who can exploit a buffer
overflow without triggering the stack-protector might be able to change
program flow control to cause an uncontrolled loss of availability or to
go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Arm GNU Toolchain",
    "vendor": "Arm Ltd",
    "versions": [
      {
        "status": "affected",
        "version": "All versions where option -fstack-protector is used"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "GCC",
    "vendor": "GNU",
    "versions": [
      {
        "status": "affected",
        "version": "All versions of GCC that target AArch64 when option -fstack-protector is used"
      }
    ]
  }
]