Title
#general
t

Tao Jiang

12/08/2020, 6:09 PM
Hi, Does anyone know the vulnerability of Thrift45.dll? The black; duck scanning found the following issues:1. CVE-2019-0205 In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings. 2. CVE-2019-3553 C++ Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.02.03.00. 3. CVE-2019-0210 In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. 4. CVE-2019-11938 Java Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.12.09.00. 5. CVE-2019-11939 Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00. The issues are mainly at the server side which means osquery itself. Does osquery use different Thrift library instead? Thanks!
theopolis

theopolis

12/08/2020, 6:14 PM
Hi Tao, osquery itself uses a Thrift client and server written in C++ and is pinned to Apache version 0.11. So the first DoS vulnerability may be present (I say may due to the vagueness of the description "certain language bindings"). Keep in mind that someone will need privileged access to connect to an osquery Thrift socket so a DoS security bug is not a probable threat scenario. If someone can open the socket or pipe for writing then they can access all of the osquery data and issue a
shutdown
API call, a much easier DoS method. These blackduck warnings can be safely ignored IMO.
t

Tao Jiang

12/08/2020, 9:19 PM
@theopolis Thanks for responding! I found the named pipe created by osqeury can be accessed by everyone on windows machine. What’s your advice on windows machine since most of users on local widows have privileged access. Thx!