Open Babel MOL2 Parser Out-of-Bounds Write (CVE-2022-43607)
A memory-safety vulnerability, CVE-2022-43607, in Open Babel's MOL2 parser allows an out-of-bounds write when processing a crafted input file, potentially leading to denial of service or arbitrary code execution.
Cisco TALOS reported a critical memory-safety vulnerability, CVE-2022-43607, affecting Open Babel versions up to 3.1.1. This flaw resides within the MOL2 file format parser, specifically in the attribute/value parsing path. An attacker can craft a malicious MOL2 file containing an overly long attribute or value, which, when processed by the vulnerable Open Babel software, triggers an out-of-bounds write. This vulnerability is significant because Open Babel is a widely used C++ library and command-line interface (obabel) for manipulating chemistry file formats, often embedded in scientific applications and services. The vulnerability can be exploited when a victim opens a specially crafted MOL2 file using the obabel tool, the OBConversion API, or any of its language bindings (Python, Ruby, Java, R, Perl, C#, PHP). This can lead to memory corruption, denial of service, or potentially arbitrary code execution if successfully weaponized.
Attack Chain
- An attacker crafts a malicious MOL2 file containing an over-long attribute or value designed to exceed a fixed-size buffer.
- The attacker delivers this crafted MOL2 file to a target system or user (e.g., via email, web download, or shared storage).
- The victim opens or processes the malicious MOL2 file using the
obabelcommand-line tool, theOBConversionAPI, or one of Open Babel's language bindings. - Open Babel's MOL2 parser attempts to parse the malicious file's attributes and values.
- During parsing, the overly long data triggers an out-of-bounds write operation past the end of an allocated memory buffer.
- This memory corruption can lead to a crash of the Open Babel process, resulting in a denial of service (DoS).
- With sophisticated exploitation, this memory corruption could potentially be leveraged to achieve arbitrary code execution.
Impact
The successful exploitation of CVE-2022-43607 can result in memory corruption, leading to a denial of service (DoS) by crashing the application or tool processing the malicious MOL2 file. In more severe scenarios, it could enable arbitrary code execution, granting attackers control over the compromised system. While no specific in-the-wild exploitation has been observed, the widespread use of Open Babel in academic, research, and industrial sectors that handle chemical data means that a broad range of organizations could be affected. Any service or workstation that uses Open Babel to parse untrusted MOL2 files is at risk.
Recommendation
- Patch CVE-2022-43607 by updating Open Babel to version 3.2.0 or later immediately across all affected systems.
- Implement process creation logging (e.g., Sysmon for Windows or Auditd for Linux) to activate the provided Sigma rule for
obabelexecution. - Review and tune the provided Sigma rule to monitor for unusual invocations of the
obabelcommand-line tool, especially from untrusted sources or with uncommon parameters. - Educate users on the risks of opening untrusted or suspicious MOL2 files received from unknown sources, as user interaction is required for exploitation.
Detection coverage 1
Detect Open Babel obabel CLI Processing MOL2 Files
lowDetects the execution of the Open Babel command-line tool `obabel` when it is invoked to process .mol2 files, which is a known trigger for CVE-2022-43607.
Detection queries are available on the platform. Get full rules →