#VU47311 Out-of-bounds read in DPDK - CVE-2020-14377

Cybersecurity Help s.r.o.

Published: 2020-09-30 | Updated: 2020-10-05

Vulnerability identifier: #VU47311

Vulnerability risk: Medium

CVSSv4.0: 4.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-14377

CWE-ID: CWE-125

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
DPDK
Server applications / Frameworks for developing and running applications

Vendor: DPDK Project

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote user on the guest OS can run a specially crafted program to trigger out-of-bounds read error and read contents of memory of the host OS.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

DPDK: 18.02 - 18.11.9, 19.02 - 19.11.4

External links
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00004.html
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00006.html
https://bugzilla.redhat.com/show_bug.cgi?id=1879472
https://usn.ubuntu.com/4550-1/
https://www.openwall.com/lists/oss-security/2020/09/28/3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 20.03 LTS update for dpdk

OpenSUSE Linux update for dpdk

Multiple vulnerabilities in dpdk

Ubuntu update for dpdk