Dell ControlVault3 and ControlVault3 Plus Buffer Overflow Vulnerability in CvManager Functionality

A buffer overflow vulnerability has been identified in the CvManager functionality of Dell ControlVault3 versions prior to 5.15.14.19 and Dell ControlVault3 Plus versions prior to 6.2.36.47. This vulnerability allows memory corruption through a specially crafted ControlVault API call. Any low privilege user can exploit this issue by interfacing with the ControlVault3 hardware via a userland DLL that communicates with the device driver, which in turn interacts with the ARM firmware on the Broadcom BCM5820X chip.

Impact

Exploitation of this vulnerability can lead to memory corruption, allowing attackers to overwrite adjacent memory and potentially execute arbitrary code. The buffer overflow can corrupt various data structures, including heap metadata, which is commonly exploited to gain control of program execution.

Reproduction

To reproduce this vulnerability, a low privilege user can send a crafted ControlVault API call through the 'bcmbipdll.dll' library. The 'cvusbdrv.sys' driver will pass the command to the ARM firmware on the BCM5820X chip. The firmware will read the command into a global buffer, 'CV_SECURE_IO_COMMAND_BUF', and then copy it to another global buffer, 'CV_COMMAND_BUF', using 'memcpy'. By manipulating the 'transportLen' parameter of the command, it's possible to overflow 'CV_COMMAND_BUF', which only has a capacity of 4096 bytes, causing a buffer overflow that can be exploited to corrupt memory and execute arbitrary code.

Remediation

Users can update to Dell ControlVault3 version 5.15.14.19 or later, or Dell ControlVault3 Plus version 6.2.36.47 or later. Specific update instructions can be found on the Dell Drivers & Downloads site.