HDF5 Heap Buffer Overflow Vulnerability in Reference Memory Management Method Allowing Denial-of-Service

A heap buffer overflow vulnerability has been identified in the HDF5 data management software, specifically in versions through 1.14.1-2. The issue arises in the 'H5T__ref_mem_setnull' method, where an attacker can manipulate an HDF5 file to trigger a write-based heap buffer overflow. This vulnerability can cause a denial-of-service condition and, depending on the exploitability of the heap overflow in modern operating systems, could potentially lead to remote code execution.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, leading to a denial-of-service condition. However, such heap-overflows can often be exploited for remote code execution, depending on the specific circumstances. In this case, while the proof-of-concept demonstration resulted in a heap overflow that wrote null bytes out-of-bounds, reducing the likelihood of remote code execution, the vulnerability could still be exploited for such purposes under different scenarios.

Reproduction

The vulnerability can be reproduced by compiling HDF5 with address sanitizer enabled, using GCC 10. After building and installing the library, the 'h5dump' utility can be used to parse a crafted HDF5 file that triggers the heap buffer overflow. The address sanitizer will report the heap-buffer-overflow error, indicating that the vulnerability has been successfully exploited.