Bug 1225833 (CVE-2024-36845)

Summary: VUL-0: CVE-2024-36845: libmodbus: denial of service due to an invalid pointer in the modbus_receive() function
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Stanislav Brabec <sbrabec>
Status: CONFIRMED --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: camila.matos
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/408372/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-36845:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-06-03 12:26:10 UTC 
An invalid pointer in the modbus_receive() function of libmodbus v3.1.6 allows attackers to cause a Denial of Service (DoS) via a crafted message sent to the unit-test-server.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-36845
https://www.cve.org/CVERecord?id=CVE-2024-36845
https://github.com/stephane/libmodbus/issues/750
https://bugzilla.redhat.com/show_bug.cgi?id=2284259
Comment 2 Stanislav Brabec 2024-06-11 19:57:29 UTC 
Checking the upstream, there is no fix. The upstream issue has no progress. Redhat Bugzilla has no progress yet.

According to the reporter, it seems to be array out of bound access that triggers the crash.

Is it serious enough to start a research? Note that we have no Modbus testing hardware.