CryptoLib Heap Overflow Vulnerability in Secondary Header Length Processing

A heap overflow vulnerability has been identified in CryptoLib versions through 1.3.3. The issue arises in the `Crypto_TM_ProcessSecurity` function when the Secondary Header Length of a TM protocol packet exceeds the total packet length. This oversight allows for a heap overflow during the `memcpy` operation, where packet data is copied into a dynamically allocated buffer. The vulnerability can be exploited to overwrite adjacent heap memory, potentially leading to arbitrary code execution or system instability.

Impact

Exploitation of this vulnerability causes a heap overflow, allowing for memory corruption that could lead to arbitrary code execution or system instability.

Reproduction

The vulnerability can be reproduced by sending a TM protocol packet with a crafted Secondary Header Length that exceeds the packet's total length. This can be done by manipulating the packet data to include a longer secondary header while keeping the overall packet length within the expected range, causing the `memcpy` operation to write beyond the allocated buffer and into adjacent heap memory.

Remediation

Users can update to the patched version of CryptoLib, which is available in the commit 810fd66d592c883125272fef123c3240db2f170f.