Bug 1172524

Summary: VUL-0: CVE-2020-12861, CVE-2020-12862,CVE-2020-12863,CVE-2020-12864,CVE-2020-12865,CVE-2020-12866,CVE-2020-12867: sane-backends: memory corruption bugs
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: jsmeix, meissner, security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/260401/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-12861:8.8:(AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2020-12862:4.3:(AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3.1:SUSE:CVE-2020-12863:4.3:(AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3.1:SUSE:CVE-2020-12864:4.3:(AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3.1:SUSE:CVE-2020-12865:7.4:(AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2020-12866:5.7:(AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2020-12867:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-06-04 15:34:36 UTC
CVE-2020-12867

A NULL pointer dereference in sanei_epson_net_read in SANE Backends through
1.0.29 allows a malicious device connected to the same local network as the
victim to cause a denial of service, aka GHSL-2020-075.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12867
https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html
https://gitlab.com/sane-project/backends/-/issues/279#issue-1-ghsl-2020-075-null-pointer-dereference-in-sanei_epson_net_read
Comment 1 Wolfgang Frisch 2020-06-08 14:14:45 UTC
Kevin Backhouse of the [GitHub Security Lab team][1] has discovered
several issues in the epson2, epsonds and magicolor backends that could
be exploited by a malicious network device.  All three backends are
enabled by default.  Moreover, all enable automatic discovery of network
devices.  The issues can be used to crash SANE frontends at start up or
when starting a scan as well as corrupt memory leading to a possibility
of remote code execution.

 [1]: https://securitylab.github.com

This release fixes the issues for the epson2 and magicolor backends and
mitigates them for the epsonds backend.

We recommend that you upgrade to this release.  The source tarball and
checksums can be found on the [releases page][2].

 [2]: https://gitlab.com/sane-project/backends/-/releases

Please note that this page also mentions a "Source code" pull down menu
from which you can download the corresponding git repository.  These
archives do *not* include generated files such as the configure script,
Makefile.in files and more.

A nicely formatted version of the release notes can be found at the
[releases page][2] as well.  For your convenience, the "raw" Markdown is
included below.

 ### Backends

 - `epson2`: fixes CVE-2020-12867 (GHSL-2020-075) and several memory
   management issues found while addressing that CVE
 - `epsonds`: addresses out-of-bound memory access issues to fix
   CVE-2020-12862 (GHSL-2020-082) and CVE-2020-12863 (GHSL-2020-083),
   addresses a buffer overflow fixing CVE-2020-12865 (GHSL-2020-084)
   and disables network autodiscovery to mitigate CVE-2020-12866
   (GHSL-2020-079), CVE-2020-12861 (GHSL-2020-080) and CVE-2020-12864
   (GHSL-2020-081).  Note that this backend does not support network
   scanners to begin with.
 - `magicolor`: fixes a floating point exception and uninitialized data
   read
 - fixes an overflow in `sanei_tcp_read()`
Comment 3 Wolfgang Frisch 2020-07-20 16:28:42 UTC
Exploit for CVE-2020-12861 (adjacent network code execution):
https://github.com/github/securitylab/tree/38b182e96a48f19b412039c0b321d6faec2b5c55/SecurityExploits/SANE/epsonds_CVE-2020-12861
Comment 4 Wolfgang Frisch 2020-07-20 17:53:56 UTC
Steps to reproduce:

- Run the fake scanner on a 2nd machine in the same subnet
CVE-2020-12861: ./fakescanner epson 2  # OOB write
CVE-2020-12862: ./fakescanner epson 4  # OOB read
CVE-2020-12863: ./fakescanner epson 6  # OOB read
CVE-2020-12864: ./fakescanner epson 3  # OOB read
CVE-2020-12865: ./fakescanner epson 8  # OOB write
CVE-2020-12866: ./fakescanner epson 1  # null ptr deref
CVE-2020-12867: ./fakescanner epson 0  # null ptr deref

- Run simple-scan.
Some of the bugs require the user to press the "Scan" button".

Not reproducible on SLE-11-SP1. Please double-check.
Reproducible on SLE-12 and SLE-15.
Comment 16 Swamp Workflow Management 2020-10-28 14:14:50 UTC
SUSE-SU-2020:3065-1: An update that fixes 7 vulnerabilities, contains four features is now available.

Category: security (important)
Bug References: 1172524
CVE References: CVE-2020-12861,CVE-2020-12862,CVE-2020-12863,CVE-2020-12864,CVE-2020-12865,CVE-2020-12866,CVE-2020-12867
JIRA References: ECO-2418,PM-2118,SLE-15560,SLE-15561
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    sane-backends-1.0.31-6.3.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    sane-backends-1.0.31-6.3.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    sane-backends-1.0.31-6.3.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    sane-backends-1.0.31-6.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-10-31 17:17:57 UTC
openSUSE-SU-2020:1791-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1172524
CVE References: CVE-2020-12861,CVE-2020-12862,CVE-2020-12863,CVE-2020-12864,CVE-2020-12865,CVE-2020-12866,CVE-2020-12867
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    sane-backends-1.0.31-lp151.6.3.1
Comment 18 Swamp Workflow Management 2020-11-01 11:20:33 UTC
openSUSE-SU-2020:1798-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1172524
CVE References: CVE-2020-12861,CVE-2020-12862,CVE-2020-12863,CVE-2020-12864,CVE-2020-12865,CVE-2020-12866,CVE-2020-12867
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    sane-backends-1.0.31-lp152.7.3.1
Comment 19 Swamp Workflow Management 2020-11-03 14:25:21 UTC
SUSE-SU-2020:3125-1: An update that fixes 8 vulnerabilities, contains three features is now available.

Category: security (important)
Bug References: 1172524
CVE References: CVE-2017-6318,CVE-2020-12861,CVE-2020-12862,CVE-2020-12863,CVE-2020-12864,CVE-2020-12865,CVE-2020-12866,CVE-2020-12867
JIRA References: ECO-2418,SLE-15560,SLE-15561
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    sane-backends-1.0.31-4.3.1
SUSE OpenStack Cloud Crowbar 8 (src):    sane-backends-1.0.31-4.3.1
SUSE OpenStack Cloud 9 (src):    sane-backends-1.0.31-4.3.1
SUSE OpenStack Cloud 8 (src):    sane-backends-1.0.31-4.3.1
SUSE OpenStack Cloud 7 (src):    sane-backends-1.0.31-4.3.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    sane-backends-1.0.31-4.3.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    sane-backends-1.0.31-4.3.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    sane-backends-1.0.31-4.3.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    sane-backends-1.0.31-4.3.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    sane-backends-1.0.31-4.3.1
SUSE Linux Enterprise Server 12-SP5 (src):    sane-backends-1.0.31-4.3.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    sane-backends-1.0.31-4.3.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    sane-backends-1.0.31-4.3.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    sane-backends-1.0.31-4.3.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    sane-backends-1.0.31-4.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    sane-backends-1.0.31-4.3.1
SUSE Enterprise Storage 5 (src):    sane-backends-1.0.31-4.3.1
HPE Helion Openstack 8 (src):    sane-backends-1.0.31-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Alexandros Toptsoglou 2021-01-27 17:05:21 UTC
DONE