Bug ID 1228908
Summary VUL-0: CVE-2024-7542: ofono: lack of proper initialization of memory leads to disclosure of sensitive information when parsing responses from AT+CMGR commands
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.6
Hardware Other
URL https://smash.suse.de/issue/416428/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee mpluskal@suse.com
Reporter smash_bz@suse.de
QA Contact security-team@suse.de
CC camila.matos@suse.com
Target Milestone ---
Found By Security Response Team
Blocker ---

oFono AT CMGR Command Uninitialized Variable Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose sensitive
information on affected installations of oFono. An attacker must first obtain
the ability to execute code on the target modem in order to exploit this
vulnerability.

The specific flaw exists within the parsing of responses from AT+CMGR commands.
The issue results from the lack of proper initialization of memory prior to
accessing it. An attacker can leverage this in conjunction with other
vulnerabilities to execute arbitrary code in the context of root. Was
ZDI-CAN-23309.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-7542
https://www.cve.org/CVERecord?id=CVE-2024-7542
http://www.zerodayinitiative.com/advisories/ZDI-24-1082/
https://bugzilla.redhat.com/show_bug.cgi?id=2303005


You are receiving this mail because: