Bloomberg Comdb2 Null Pointer Dereference Vulnerability in Protocol Buffer Message Handling

A null pointer dereference vulnerability has been identified in Bloomberg Comdb2 version 8.1. This issue arises in the net_connectmsg Protocol Buffer Message functionality, where specially crafted network packets can lead to a denial-of-service condition. The vulnerability is triggered by sending packets that exploit the improper handling of protocol buffer messages, causing the service to crash.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the Comdb2 service to terminate unexpectedly.

Reproduction

To reproduce this vulnerability, first, create a Comdb2 database instance that registers with the 'pmux' port multiplexer service. Once the database is running, it will be assigned a port number that can be queried through the 'pmux' service. After identifying the database's port, send a crafted network packet to the Comdb2 instance that includes a malformed 'NetConnectMsg' protocol buffer message. This can be done using the provided Python proof-of-concept script, which automates the process of querying the 'pmux' service, selecting the target database, and sending the exploit payload.

Remediation

Users are advised to update to the patched version of Bloomberg Comdb2, which is available through the Bloomberg software distribution channels.