CVE CyberSecurity Database News

CVE-2023-46045: Graphviz 2.36. through 9.x before 10..1 Out-Of-Bounds Read via Crafted Config6a File

Poster -

In this long-read post, we'll be delving into CVE-2023-46045, a recently discovered vulnerability affecting Graphviz, a popular open-source tool for visualizing graphs and diagrams. Specifically, this vulnerability is an out-of-bounds read issue that occurs when processing a maliciously crafted config6a file. While exploitability may be uncommon due to the typical ownership of this file by the root user, it is essential to understand the underlying issue and apply the appropriate patches or mitigations to protect your systems from potential attacks.

What is Graphviz?

Graphviz is an open-source graph visualization software that provides a wide array of graph layout algorithms and output formats. It has a rich set of features, including support for directed, undirected, and mixed graphs, hierarchical layouts, and more. Graphviz is widely used in various application domains, such as bioinformatics, software engineering, and networking. The official website of the project can be visited at the following link: https://graphviz.org/

Details of CVE-2023-46045

The vulnerability in question, CVE-2023-46045, is an out-of-bounds read issue that occurs when processing a specially crafted config6a file in Graphviz versions 2.36. through 9.x before 10..1. A successful exploit of this vulnerability could lead to information disclosure or a crash of the Graphviz process. However, the exploitability of this issue is limited due to the fact that the config6a file is typically owned by the root user, making it more challenging for an attacker to craft and execute an attack.

To better understand the vulnerability, let's take a look at a code snippet that demonstrates the issue:

#include "config.h"
#ifdef HAVE_LIBGD
/* Read the config6a file */
void config6a(FILE* file) {
  unsigned char buffer[256];
  size_t n = fread(buffer, 1, sizeof(buffer), file);
  if (n > ) {
    unsigned int varOffset = buffer[2] | buffer[3] << 8;
    /* Out-of-bounds read occurs here */
    unsigned int value = buffer[varOffset + 4] | buffer[varOffset + 5] << 8;
    ...
  }
}
#endif

In the code snippet above, the function config6a reads data from a FILE* file representing the config6a file into a buffer. The issue arises when the value of varOffset is computed based on the contents of the buffer, and the subsequent calculation of value causes an out-of-bounds read. By providing a crafted config6a file, an attacker could potentially trigger this vulnerability and, in some cases, cause information disclosure or crashes.

Original references and patch information

The Graphviz project has acknowledged this vulnerability and has released a patch to address the issue. Upgrading to Graphviz version 10..1 will protect your systems from this specific vulnerability, and it is recommended that you apply the update as soon as possible.

For more information on the vulnerability, you can refer to the CVE entry at the following link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46045

Exploit details and mitigations

As mentioned earlier, the exploitability of CVE-2023-46045 may be low due to the typical ownership of the config6a file by the root user. However, if an attacker gains access to the file or can modify it, they may be able to exploit the vulnerable Graphviz process, resulting in information disclosure or crashes.

To mitigate this vulnerability, it is recommended that you upgrade to Graphviz version 10..1, as mentioned above. In addition, you should always follow best practices when handling file permissions and access controls, ensuring that only authorized users or processes can modify sensitive files like the config6a file.

Conclusion

CVE-2023-46045 is an out-of-bounds read vulnerability in Graphviz that could potentially lead to information disclosure or crashes if successfully exploited. While exploitability may be uncommon, it's vital to stay informed and take the necessary precautions to secure your systems against potential attacks. By upgrading to the latest version of Graphviz and following best practices for file permissions and access controls, you can significantly reduce the risk posed by this vulnerability.

Timeline

Published on: 02/02/2024 06:15:45 UTC
Last modified on: 03/21/2024 02:49:19 UTC