{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/zserio/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Navigation Data Standard (NDS)","zserio-runtime"],"_cs_severities":["medium"],"_cs_tags":["zserio","denial-of-service","memory-allocation","nds"],"_cs_type":"advisory","_cs_vendors":["Toyota","BMW","Volkswagen","Mercedes-Benz"],"content_html":"\u003cp\u003eA critical vulnerability exists within the Zserio runtime library, a serialization framework used in various applications, including the Navigation Data Standard (NDS) for automotive systems. This flaw allows a malicious actor to trigger an unbounded memory allocation by providing a specially crafted input. A payload as small as 4-5 bytes can cause memory allocations of up to 16 GB, resulting in a denial-of-service (DoS) condition due to an out-of-memory (OOM) error. This issue affects Zserio versions 2.18.0 and earlier. The vulnerability stems from insufficient validation of the declared size of data structures during deserialization, leading to excessive memory reservation. Exploitation could disrupt critical systems relying on Zserio, particularly within the automotive sector where NDS is widely deployed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious NDS data payload.\u003c/li\u003e\n\u003cli\u003eThe payload includes a \u0026ldquo;varsize\u0026rdquo; field claiming an extremely large size (e.g., 2,147,483,647 bytes).\u003c/li\u003e\n\u003cli\u003eThe vulnerable Zserio runtime attempts to deserialize the payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eArray.h\u003c/code\u003e or \u003ccode\u003eArray.java\u003c/code\u003e code calls \u003ccode\u003ereserve()\u003c/code\u003e or \u003ccode\u003ereset()\u003c/code\u003e with the attacker-controlled size.\u003c/li\u003e\n\u003cli\u003eThe system attempts to allocate a large block of memory (up to 16 GB), based on the attacker-specified size.\u003c/li\u003e\n\u003cli\u003eMemory allocation fails, or consumes excessive resources.\u003c/li\u003e\n\u003cli\u003eThe application crashes due to an out-of-memory (OOM) error.\u003c/li\u003e\n\u003cli\u003eThe denial-of-service condition prevents the application from functioning correctly.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability affects applications utilizing the Zserio serialization framework, including the Navigation Data Standard (NDS) used by 43 member companies, including Toyota, BMW, Volkswagen, and Mercedes-Benz. Successful exploitation can lead to a denial-of-service (DoS) condition, potentially impacting millions of cars on the road that rely on NDS for map updates and navigation data. Attack vectors include NDS.Live cloud map updates, map data supply chain compromise, and backend data processing pipelines. On 32-bit automotive ECUs, this could affect ADAS functionality. A 4-byte payload can trigger the allocation of 762MB of memory, and a 5-byte payload triggers an allocation of 16GB, leading to a system crash.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch available in Zserio version 2.18.1 to remediate the vulnerability (\u003ca href=\"https://github.com/ndsev/zserio/releases/tag/v2.18.1\"\u003ehttps://github.com/ndsev/zserio/releases/tag/v2.18.1\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement input validation to ensure that the declared size of data structures during deserialization does not exceed the remaining size of the input stream, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Zserio Large Memory Allocation\u003c/code\u003e to identify potential exploitation attempts in environments where Zserio is used.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T12:00:00Z","date_published":"2024-05-02T12:00:00Z","id":"/briefs/2024-05-zserio-oom/","summary":"A crafted payload can force memory allocations of up to 16 GB, leading to a denial-of-service condition in applications using the Zserio serialization framework, including those within the automotive Navigation Data Standard (NDS).","title":"Zserio Runtime Unbounded Memory Allocation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-05-zserio-oom/"}],"language":"en","title":"CraftedSignal Threat Feed — Zserio","version":"https://jsonfeed.org/version/1.1"}