Lucene search
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.FREEBSD_PKG_326B2F3E6FC74661955DA772760DB9CF.NASLHistoryApr 14, 2023 - 12:00 a.m.
FreeBSD : py-tflite -- buffer overflow vulnerability (326b2f3e-6fc7-4661-955d-a772760db9cf)
2023-04-1400:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
5
freebsd
py-tflite
buffer overflow
vulnerability
tensorflow
machine learning
operator
data_ptr
num_channels
output_num_channels
github commit
cherrypick
cve-2022-41894
nessus
scanner
0.001 Low
EPSS
Percentile
47.0%
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 326b2f3e-6fc7-4661-955d-a772760db9cf advisory.
- TensorFlow is an open source platform for machine learning. The reference kernel of the
CONV_3D_TRANSPOSETensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead ofdata_ptr += num_channels;it should bedata_ptr += output_num_channels;as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with a specific number of input channels. It is then possible to write specific values through the bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel resolver is used in the interpreter. We have patched the issue in GitHub commit 72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. (CVE-2022-41894)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# @NOAGENT@
#
# The descriptive text and package checks in this plugin were
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2021 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
# copyright notice, this list of conditions and the following
# disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
# published online in any format, converted to PDF, PostScript,
# RTF and other formats) must reproduce the above copyright
# notice, this list of conditions and the following disclaimer
# in the documentation and/or other materials provided with the
# distribution.
#
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
include('compat.inc');
if (description)
{
script_id(174295);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/19");
script_cve_id("CVE-2022-41894");
script_name(english:"FreeBSD : py-tflite -- buffer overflow vulnerability (326b2f3e-6fc7-4661-955d-a772760db9cf)");
script_set_attribute(attribute:"synopsis", value:
"The remote FreeBSD host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a
vulnerability as referenced in the 326b2f3e-6fc7-4661-955d-a772760db9cf advisory.
- TensorFlow is an open source platform for machine learning. The reference kernel of the
`CONV_3D_TRANSPOSE` TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the
result. Instead of `data_ptr += num_channels;` it should be `data_ptr += output_num_channels;` as if the
number of input channels is different than the number of output channels, the wrong result will be
returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a
model with a specific number of input channels. It is then possible to write specific values through the
bias of the layer outside the bounds of the buffer. This attack only works if the reference kernel
resolver is used in the interpreter. We have patched the issue in GitHub commit
72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11. We will also
cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and
still in supported range. (CVE-2022-41894)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://osv.dev/vulnerability/GHSA-h6q3-vv32-2cq5");
# https://vuxml.freebsd.org/freebsd/326b2f3e-6fc7-4661-955d-a772760db9cf.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9eebe186");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-41894");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/11/18");
script_set_attribute(attribute:"patch_publication_date", value:"2023/04/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/04/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py310-tflite");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py311-tflite");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py37-tflite");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py38-tflite");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py39-tflite");
script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"FreeBSD Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
exit(0);
}
include("freebsd_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
var flag = 0;
var packages = [
'py310-tflite<2.8.4',
'py310-tflite>=2.10.0<2.10.1',
'py310-tflite>=2.9.0<2.9.3',
'py311-tflite<2.8.4',
'py311-tflite>=2.10.0<2.10.1',
'py311-tflite>=2.9.0<2.9.3',
'py37-tflite<2.8.4',
'py37-tflite>=2.10.0<2.10.1',
'py37-tflite>=2.9.0<2.9.3',
'py38-tflite<2.8.4',
'py38-tflite>=2.10.0<2.10.1',
'py38-tflite>=2.9.0<2.9.3',
'py39-tflite<2.8.4',
'py39-tflite>=2.10.0<2.10.1',
'py39-tflite>=2.9.0<2.9.3'
];
foreach var package( packages ) {
if (pkg_test(save_report:TRUE, pkg: package)) flag++;
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : pkg_report_get()
);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
| Vendor | Product | Version | CPE |
|---|---|---|---|
| freebsd | freebsd | py310-tflite | p-cpe:/a:freebsd:freebsd:py310-tflite |
| freebsd | freebsd | py311-tflite | p-cpe:/a:freebsd:freebsd:py311-tflite |
| freebsd | freebsd | py37-tflite | p-cpe:/a:freebsd:freebsd:py37-tflite |
| freebsd | freebsd | py38-tflite | p-cpe:/a:freebsd:freebsd:py38-tflite |
| freebsd | freebsd | py39-tflite | p-cpe:/a:freebsd:freebsd:py39-tflite |
| freebsd | freebsd | cpe:/o:freebsd:freebsd |
Related
nessus
nessus
CBL Mariner 2.0 Security Update: tensorflow (CVE-2022-41894)
2023-03-20 00:00:00
TensorFlow < 2.9.3 Multiple Vulnerabilities
2024-05-24 00:00:00
TensorFlow < 2.10.1 Multiple Vulnerabilities
2024-05-20 00:00:00
osv
osv
CVE-2022-41894
2022-11-18 22:15:17
Buffer overflow in `CONV_3D_TRANSPOSE` on TFLite
2022-11-21 20:44:24
BIT-tensorflow-2022-41894
2024-03-06 11:10:59
cve
cve
CVE-2022-41894
2022-11-18 22:15:17
nvd
nvd
CVE-2022-41894
2022-11-18 22:15:17
veracode
veracode
Denial Of Service (DoS)
2022-11-22 03:46:36
cvelist
cvelist
CVE-2022-41894 Buffer overflow in `CONV_3D_TRANSPOSE` on TFLite
2022-11-18 00:00:00
github
github
Buffer overflow in `CONV_3D_TRANSPOSE` on TFLite
2022-11-21 20:44:24
cnvd
cnvd
Google TensorFlow has an unspecified vulnerability (CNVD-2022-81227)
2022-11-23 00:00:00
prion
prion
Buffer overflow
2022-11-18 22:15:00
freebsd
freebsd
py-tflite -- buffer overflow vulnerability
2022-11-21 00:00:00
cbl_mariner
cbl_mariner
CVE-2022-41894 affecting package tensorflow for versions less than 2.11.0-1
2022-12-09 20:03:11
