Impact
What kind of vulnerability is it? Who is impacted?
This bug is triggered on 32-bit machines when the CUPS server responds with a message (https://doc.sm.tc/station/cupsproto.html#http-post-response) where the signature length is larger than 2 GByte (never happens in practice), or the response is crafted specifically to trigger this issue (i.e. the length signature field indicates a value larger than (2**31)-1 although the signature actually does not contain that much data). In such a scenario, on 32 bit machines, Basic Station would execute a code path, where a piece of memory is accessed after it has been freed, causing the process to crash and restarted again.
Patches
Has the problem been patched? What versions should users upgrade to?
Yes. Version 2.0.4+ contains the fix.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The CUPS transaction is typically mutually authenticated over TLS. Therefore, in order to trigger this vulnerability, the attacker would have to gain access to the CUPS server first. If the user chose to operate without authentication over TLS but yet is concerned about this vulnerability, one possible work around is to enable TLS authentication.
References
Are there any links users can visit to find out more?
No.
For more information
If you have any questions or comments about this advisory:
Please report all vulnerabilities to LoRa-Net@semtech.com.
Impact
What kind of vulnerability is it? Who is impacted?
This bug is triggered on 32-bit machines when the CUPS server responds with a message (https://doc.sm.tc/station/cupsproto.html#http-post-response) where the signature length is larger than 2 GByte (never happens in practice), or the response is crafted specifically to trigger this issue (i.e. the length signature field indicates a value larger than (2**31)-1 although the signature actually does not contain that much data). In such a scenario, on 32 bit machines, Basic Station would execute a code path, where a piece of memory is accessed after it has been freed, causing the process to crash and restarted again.
Patches
Has the problem been patched? What versions should users upgrade to?
Yes. Version 2.0.4+ contains the fix.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The CUPS transaction is typically mutually authenticated over TLS. Therefore, in order to trigger this vulnerability, the attacker would have to gain access to the CUPS server first. If the user chose to operate without authentication over TLS but yet is concerned about this vulnerability, one possible work around is to enable TLS authentication.
References
Are there any links users can visit to find out more?
No.
For more information
If you have any questions or comments about this advisory:
Please report all vulnerabilities to LoRa-Net@semtech.com.