CVE-2020-15211

{"id": "CVE-2020-15211", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}]}, "published": "2020-09-25T19:15:16.400", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tensorflow/tensorflow/commit/00302787b788c5ff04cb6f62aed5a74d936e86c0", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tensorflow/tensorflow/commit/1970c2158b1ffa416d159d03c3370b9a462aee35", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tensorflow/tensorflow/commit/46d5b0852528ddfd614ded79bccc75589f801bd9", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tensorflow/tensorflow/commit/cd31fd0ce0449a9e0f83dcad08d6ed7f1d6bef3f", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tensorflow/tensorflow/commit/e11f55585f614645b360563072ffeb5c3eeff162", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tensorflow/tensorflow/commit/fff2c8326280c07733828f990548979bdc893859", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cvpc-8phh-8f45", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/tensorflow/tensorflow/commit/00302787b788c5ff04cb6f62aed5a74d936e86c0", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/tensorflow/tensorflow/commit/1970c2158b1ffa416d159d03c3370b9a462aee35", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/tensorflow/tensorflow/commit/46d5b0852528ddfd614ded79bccc75589f801bd9", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/tensorflow/tensorflow/commit/cd31fd0ce0449a9e0f83dcad08d6ed7f1d6bef3f", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/tensorflow/tensorflow/commit/e11f55585f614645b360563072ffeb5c3eeff162", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/tensorflow/tensorflow/commit/fff2c8326280c07733828f990548979bdc893859", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cvpc-8phh-8f45", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexing when trying to get the data of each tensor. However, some operators can have some tensors be optional. To handle this scenario, the flatbuffer model uses a negative `-1` value as index for these tensors. This results in special casing during validation at model loading time. Unfortunately, this means that the `-1` index is a valid tensor index for any operator, including those that don't expect optional inputs and including for output tensors. Thus, this allows writing and reading from outside the bounds of heap allocated arrays, although only at a specific offset from the start of these arrays. This results in both read and write gadgets, albeit very limited in scope. The issue is patched in several commits (46d5b0852, 00302787b7, e11f5558, cd31fd0ce, 1970c21, and fff2c83), and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to the model loading code to ensure that only operators which accept optional inputs use the `-1` special value and only for the tensors that they expect to be optional. Since this allow-list type approach is erro-prone, we advise upgrading to the patched code."}, {"lang": "es", "value": "En TensorFlow Lite versiones anteriores a 1.15.4, 2.0.3, 2.1.2, 2.2.1 y 2.3.1, los modelos guardados en formato flatbuffer usan un esquema de indexaci\u00f3n doble: un modelo tiene un conjunto de subgr\u00e1ficos, cada subgr\u00e1fico tiene un conjunto de operadores y cada operador tiene un conjunto de tensores de entrada/salida. El formato flatbuffer usa \u00edndices para los tensores, indexando en una matriz de tensores que es propiedad del subgr\u00e1fico. Esto resulta en un patr\u00f3n de indexaci\u00f3n de doble matriz cuando intenta obtener los datos de cada tensor. Sin embargo, algunos operadores pueden tener algunos tensores opcionales. Para manejar este escenario, el modelo flatbuffer usa un valor negativo \"-1\" como \u00edndice para estos tensores. Esto resulta en un cubierta especial durante la comprobaci\u00f3n en el momento de la carga del modelo. Desafortunadamente, esto significa que el \u00edndice \"-1\" es un \u00edndice tensorial v\u00e1lido para cualquier operador, incluyendo aquellos que no esperan entradas opcionales e incluso para tensores de salida. Por tanto, esto permite escribir y leer desde fuera de los l\u00edmites de los arreglos asignados de la pila, aunque solo en un desplazamiento espec\u00edfico desde el inicio de estos arreglos. Esto resulta en gadgets de lectura y escritura, aunque con un alcance muy limitado. El problema es parcheado en varias commits (46d5b0852, 00302787b7, e11f5558, cd31fd0ce, 1970c21 y fff2c83) y es publicado en TensorFlow versiones 1.15.4, 2.0.3, 2.1.2, 2.2.1 o 2.3.1. Una soluci\u00f3n alternativa potencial ser\u00eda agregar un \"Verifier\" personalizado al c\u00f3digo de carga del modelo para garantizar que solo los operadores que aceptan entradas opcionales usen el valor especial \"-1\" y solo para los tensores que esperan que sean opcionales. Dado que este enfoque de tipo allow-list es propenso a errores, recomendamos actualizar al c\u00f3digo parcheado"}], "lastModified": "2024-11-21T05:05:05.877", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:lite:*:*:*", "vulnerable": true, "matchCriteriaId": "7A5421A9-693F-472A-9A21-43950C884C77", "versionEndExcluding": "1.15.4"}, {"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:lite:*:*:*", "vulnerable": true, "matchCriteriaId": "B0FEB74E-5E54-4A2F-910C-FA1812C73DB2", "versionEndExcluding": "2.0.3", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:lite:*:*:*", "vulnerable": true, "matchCriteriaId": "47D83682-6615-49BC-8043-F36B9D017578", "versionEndExcluding": "2.1.2", "versionStartIncluding": "2.1.0"}, {"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:lite:*:*:*", "vulnerable": true, "matchCriteriaId": "323B716A-E8F7-4CDA-B8FD-A56977D59C02", "versionEndExcluding": "2.2.1", "versionStartIncluding": "2.2.0"}, {"criteria": "cpe:2.3:a:google:tensorflow:*:*:*:*:lite:*:*:*", "vulnerable": true, "matchCriteriaId": "C09502A8-B667-4867-BEBD-40333E98A601", "versionEndExcluding": "2.3.1", "versionStartIncluding": "2.3.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}