alanfranz 5 days ago

I’ll answer to myself: an RCE is very unlikely on any modern platform. DoS is possible.

“ Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution.”

From: https://openssl-library.org/news/secadv/20260127.txt

Reply View 4 replies
  • b1temy 5 days ago

    The link in the HN submission contains the same text and excerpt from your link.

    Additionally they note: -

    "While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."

    IMO, probably in of itself, this alone is not able to do much besides maybe a crash / Denial of Service on modern systems. But it might be able to be used as part of a more advanced exploit chain, alongside other vulnerabilities, to potentially reach remote code execution, though this would be a much more sophisticated exploit and is maybe a bit of a reach. Still, I hesitate to call it impossible on modern systems due to the creativity of exploit developers.

    Reply View 2 replies
    • JohnLeitch 5 days ago

      > though this would be a much more sophisticated exploit and is maybe a bit of a reach.

      Not necessarily. I have successfully exploited stack buffer overflows in major products despite stack canaries, ASLR, and DEP. It largely depends on context; if the vector is something that can be hit repeatedly, such a webform that that takes a cert or whatever, that simplifies things a lot versus something like a file format exploit, where you probably only get one chance. While I haven't analyzed this vulnerability, I would absolutely assume exploitability even if I couldn't see a way myself.

      Reply View 0 replies
    • alanfranz 5 days ago

      You are right. I linked a differently formatted article with the same content. I don’t know why I didn’t initially notice such text.

      Reply View 0 replies
  • woodruffw 5 days ago

    "Modern platform" is doing a lot of lifting; CMS and PKCS#7 rear their heads in all kinds of random places, like encryption/signing of OTA updates for routers. Those platforms are often (unreasonably) 10-20 years behind the norm for compile-time mitigations.

    Reply View 0 replies
chc4 5 days ago

OpenSSL is used by approximately everything under the sun. Some of those users will be vendors that use default compiler flags without stack cookies. A lot of IoT devices for example still don't have stack cookies for any of their software.

Reply View 0 replies
MajesticHobo2 5 days ago

Yes, but it would likely have to be chained with other bugs - at minimum, something that gives you an info leak.

Reply View 0 replies
JohnLeitch 5 days ago

It depends on what mitigations are in place and the arrangement of the stack. Even with stack canaries, having an unfortunate value on the stack e.g. a function pointer can still be quite dangerous if it can be overwritten without hitting any of the stack canaries.

Reply View 0 replies