Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114281733482760943">Will Dormann (wdormann@infosec.exchange)'s status on Saturday, 12-Apr-2025 01:16:44 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/114280151477152127" rel="in-reply-to">in reply to</a></div></section><article><p>If I look closer at the difference between the vulnerable version and the "remediated" version, it's now clear where the fix is.</p><p>In the vulnerable code, the attacker-provided length of data is strlcopy'd into a 50-byte array. And badness ensues.</p><p>In the "remediated" version, the strlcopy only copies 50 bytes, as the target variable is 50 bytes.</p><p>So I'd consider this an actual fix. But presumably Ivanti didn't realize that a stack buffer overflow could have a security impact? And thus the lack of CVE when it was fixed, or the attempt to also fix their Ivanti Policy Secure and ZTA Gateways products?  🤷♂️</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4840199#notice-9556523">In conversation</a><time datetime="2025-04-12T01:16:44+09:00" title="Saturday, 12-Apr-2025 01:16:44 JST">about 18 days ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114281733482760943" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114281733482760943">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/861744">Untitled attachment</a></label><br></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4449402">Vulnerable code uses strlcpy copy an attacker-provided number of bytes to a 50-byte stack buffer</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/281/726/048/827/339/original/a56f5aaff56a5f0f.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/281/726/048/827/339/original/a56f5aaff56a5f0f.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4449403">Remediated code only copies 50 bytes to a 50-byte stack buffer.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/281/726/726/955/956/original/558c2016324e412f.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/281/726/726/955/956/original/558c2016324e412f.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4449405">Untitled attachment</a></label><br></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="http://bytes.So/">http://bytes.So/</a></h5><div></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Saturday, 12-Apr-2025 01:16:44 JST Will Dormann
in reply to
If I look closer at the difference between the vulnerable version and the "remediated" version, it's now clear where the fix is.
In the vulnerable code, the attacker-provided length of data is strlcopy'd into a 50-byte array. And badness ensues.
In the "remediated" version, the strlcopy only copies 50 bytes, as the target variable is 50 bytes.
So I'd consider this an actual fix. But presumably Ivanti didn't realize that a stack buffer overflow could have a security impact? And thus the lack of CVE when it was fixed, or the attempt to also fix their Ivanti Policy Secure and ZTA Gateways products? 🤷♂️
In conversationabout 18 days ago from infosec.exchangepermalink
Attachments

Public

Embed Notice

HTML Code

Corresponding Notice