A 20-year-old bug has been discovered in a version of a popular compression algorithm used in the Linux kernel, several open-source libraries, and some Samsung Android mobile devices. And the researcher who found the flaw says it also could affect some car and aircraft systems, as well as other consumer equipment running the embedded open-source software.
Patches for the integer overflow bug, which allows an attacker to cripple systems running the so-called Lempel-Ziv-Oberhumer (LZO) code with denial-of-service type attacks as well as remote code execution, were issued the past few days for the Linux kernel, as well as for various open-source media libraries. LZO handles high-speed compression and decompression of IP network traffic and files, typically images, in embedded systems.
"The most popular use is in image data, decompressing photos taken, raw images taken from a camera or video stream," says Don Bailey, mobile and embedded systems security expert with Lab Mouse Security, who discovered the vulnerability while manually auditing the code.
Bailey says the tricky part with this flaw is just how pervasive it may be in the consumer products that use the algorithm: it depends on the version of the specification, as well as how it was deployed in the system, so it's still unclear just how many consumer products are at risk.
He says there are several key products that incorporate LZO, including OpenVPN, Samsung Android devices with LZO, Apache Hadoop, Juniper Junos IPsec, mplayer2, gstreamer, and Illumos/Solaris BSD ZFS (lz4), but it's unclear whether the LZO deployments in these software programs are vulnerable. "Most likely, they are affected by DoS, if at all," he says.
It all depends on how the algorithm was implemented, he says, as well as the underlying architecture and memory layout of the application. So all LZO implementations should be evaluated for the risk of the bug, he says, as well as patched.
What's unnerving about the vulnerability is the potential danger it could pose to commercial systems, he says. "If it's running in an embedded car or airplane system it [could be abused to] cause a fault in the software and cause the microcontroller or embedded system to fail," Bailey says. "And depending on the architecture, that system may or may not fail."
It could also be used to execute code remotely via audiovisual media, he says. "If you're viewing a video, a [malicious] video will execute a shell on your computer, so you could get code execution by playing a video."
There are plenty of unknowns about the scope of the vulnerability. NASA's Mars Rover also runs LZO, but Bailey says since we don't know how the code was deployed there, there's no way to know if it's vulnerable, either.
Trey Ford, global security strategist for Rapid7, says LZO compression is pervasive. "You will find it in practically all variants of Linux and it may also affect Solaris, iOS, and Android. Note that some variation of the Linux kernel -- the foundation of an operating system -- is used in almost every Internet of Things device, regardless of function," he says.
But without specifics on the flaw and its presence in different implementations, it's tough to determine just how dangerous this may be, Ford says. "This vulnerability might permit bypass of signatures for bootloaders in the deployment of modified kernel, or perhaps a local-only kernel level exploit provided by a special dirty USB drive. It’s very hard to assess the possible impact without more detail," he says.
Meanwhile, Bailey says the flaw only scratches the surface of vulnerabilities out there in embedded systems. "We're going to see more of this as the Internet of Things becomes more prominent," he says.
And not all systems will even get the LZO patch or future patches, he says. "A lot of older projects don't adhere to licensing and may not be patching," he says. "Or organizations may have legacy systems and don't know the library is use in them."
The LZO bug has some parallels to Heartbleed, he says, but it's not immediately impactful as Heartbleed was. "It's almost as dangerous because it affects a wide number of platforms in a range of ways, with remote memory disclosure, DoS, and remote code execution with one bug," he says.
Bailey has posted a blog with technical details on the LZO vulnerability here.
Here's a rundown of the patches being issued for the flaw:
- Linux kernel updates for the flaw were released today, and according to the developers of the project, all of the Linux distros have patches available.
- Libav's versions with CamStudio and NuppelVideo decoders enabled and Matroska demuxer using LZO are affected, according to the open-source project's developers. So Libav 0.8 9 and 10 could be vulnerable to the bug, which is being patched this week.
- Videolan and ffmpeg media players were patched this week.
- Oberhumer, which develops the LZO Professional data compression library used in Rover, airplanes, card, mobile phones, operating systems, and gaming consoles, did not respond to press inquiries about a patch or which of its systems may be affected by the flaw.
But the organization has issued an update to the software, LZO 2.07. The update doesn't specify whether it fixes the LZO bug, however. Bailey says the site does note that there's a security issue fixed in the new version.
"Basically, if you do have a car, a mobile telephone, a computer, a console, or have been to hospital recently, there's a good chance that you have been in contact with our embedded data compression technology," Oberhumer says on its website.