CVE-2019-3570 - OpenCVE

Call to the scrypt_enc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r and p). This happens if the parameters are configurable by an attacker for instance by providing the output of scrypt_enc() in a context where Hack/PHP code would attempt to verify it by re-running scrypt_enc() with the same parameters. This could result in information disclosure, memory being overwriten or crashes of the HHVM process. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Facebook	Hiphop Virtual Machine

Configuration 1 [-]

OR	cpe:2.3:a:facebook:hiphop_virtual_machine::::::::
	cpe:2.3:a:facebook:hiphop_virtual_machine::::::::
	cpe:2.3:a:facebook:hiphop_virtual_machine:4.1.0:::::::*
	cpe:2.3:a:facebook:hiphop_virtual_machine:4.2.0:::::::*
	cpe:2.3:a:facebook:hiphop_virtual_machine:4.3.0:::::::*
	cpe:2.3:a:facebook:hiphop_virtual_machine:4.4.0:::::::*
	cpe:2.3:a:facebook:hiphop_virtual_machine:4.5.0:::::::*
	cpe:2.3:a:facebook:hiphop_virtual_machine:4.6.0:::::::*
	cpe:2.3:a:facebook:hiphop_virtual_machine:4.7.0:::::::*
	cpe:2.3:a:facebook:hiphop_virtual_machine:4.8.0:::::::*

References

Link	Resource
https://github.com/facebook/hhvm/commit/cc331e4349e91706a673e2a09f1f2ea5bbb33815	Patch Third Party Advisory
https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: facebook

Published: 2019-07-18T15:42:25

Updated: 2019-07-18T15:42:25

Reserved: 2019-01-02T00:00:00

Link: CVE-2019-3570

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-07-18T16:15:12.297

Modified: 2020-10-16T15:14:37.373

Link: CVE-2019-3570

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "HHVM", "vendor": "Facebook", "versions": [{"status": "affected", "version": "4.8.1"}, {"status": "affected", "version": "4.8.0"}, {"status": "affected", "version": "4.7.1"}, {"status": "affected", "version": "4.7.0"}, {"status": "affected", "version": "4.6.1"}, {"status": "affected", "version": "4.6.0"}, {"status": "affected", "version": "4.5.1"}, {"status": "affected", "version": "4.5.0"}, {"status": "affected", "version": "4.4.1"}, {"status": "affected", "version": "4.4.0"}, {"status": "affected", "version": "4.3.1"}, {"lessThan": "unspecified", "status": "affected", "version": "4.0.0", "versionType": "custom"}, {"status": "affected", "version": "3.30.6"}, {"lessThanOrEqual": "3.30.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "dateAssigned": "2019-06-10T00:00:00", "datePublic": "2019-06-11T00:00:00", "descriptions": [{"lang": "en", "value": "Call to the scrypt_enc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r and p). This happens if the parameters are configurable by an attacker for instance by providing the output of scrypt_enc() in a context where Hack/PHP code would attempt to verify it by re-running scrypt_enc() with the same parameters. This could result in information disclosure, memory being overwriten or crashes of the HHVM process. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "Heap-based Buffer Overflow (CWE-122)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-07-18T15:42:25", "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/facebook/hhvm/commit/cc331e4349e91706a673e2a09f1f2ea5bbb33815"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@fb.com", "DATE_ASSIGNED": "2019-06-10", "ID": "CVE-2019-3570", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HHVM", "version": {"version_data": [{"version_affected": "!=>", "version_value": "4.8.1"}, {"version_affected": "=", "version_value": "4.8.0"}, {"version_affected": "!=>", "version_value": "4.7.1"}, {"version_affected": "=", "version_value": "4.7.0"}, {"version_affected": "!=>", "version_value": "4.6.1"}, {"version_affected": "=", "version_value": "4.6.0"}, {"version_affected": "!=>", "version_value": "4.5.1"}, {"version_affected": "=", "version_value": "4.5.0"}, {"version_affected": "!=>", "version_value": "4.4.1"}, {"version_affected": "=", "version_value": "4.4.0"}, {"version_affected": "!=>", "version_value": "4.3.1"}, {"version_affected": ">=", "version_value": "4.0.0"}, {"version_affected": "!=>", "version_value": "3.30.6"}, {"version_affected": "<=", "version_value": "3.30.5"}]}}]}, "vendor_name": "Facebook"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Call to the scrypt_enc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r and p). This happens if the parameters are configurable by an attacker for instance by providing the output of scrypt_enc() in a context where Hack/PHP code would attempt to verify it by re-running scrypt_enc() with the same parameters. This could result in information disclosure, memory being overwriten or crashes of the HHVM process. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Heap-based Buffer Overflow (CWE-122)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/facebook/hhvm/commit/cc331e4349e91706a673e2a09f1f2ea5bbb33815", "refsource": "CONFIRM", "url": "https://github.com/facebook/hhvm/commit/cc331e4349e91706a673e2a09f1f2ea5bbb33815"}, {"name": "https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html", "refsource": "CONFIRM", "url": "https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html"}]}}}}, "cveMetadata": {"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "assignerShortName": "facebook", "cveId": "CVE-2019-3570", "datePublished": "2019-07-18T15:42:25", "dateReserved": "2019-01-02T00:00:00", "dateUpdated": "2019-07-18T15:42:25", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:facebook:hiphop_virtual_machine:*:*:*:*:*:*:*:*", "matchCriteriaId": "7300A72B-8FCE-4F1D-A52A-CEF086502729", "versionEndIncluding": "3.30.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:facebook:hiphop_virtual_machine:*:*:*:*:*:*:*:*", "matchCriteriaId": "13CFD992-D6E6-40E0-BD63-6782956332DE", "versionEndIncluding": "4.0.4", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:facebook:hiphop_virtual_machine:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "7105CCC0-A141-4AE9-84C1-87582AA0E443", "vulnerable": true}, {"criteria": "cpe:2.3:a:facebook:hiphop_virtual_machine:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E97B345E-5B33-4723-8A19-33B297FFB964", "vulnerable": true}, {"criteria": "cpe:2.3:a:facebook:hiphop_virtual_machine:4.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "1BD9995D-6695-4EB5-B307-AD6B2002D918", "vulnerable": true}, {"criteria": "cpe:2.3:a:facebook:hiphop_virtual_machine:4.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "03A26433-3B9D-4E38-AD43-5DF0D21BE6D2", "vulnerable": true}, {"criteria": "cpe:2.3:a:facebook:hiphop_virtual_machine:4.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "BF29D566-16FE-4D0B-BA09-64C5323DABC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:facebook:hiphop_virtual_machine:4.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "3EF05E05-0D7C-424F-8655-85926D14C6D8", "vulnerable": true}, {"criteria": "cpe:2.3:a:facebook:hiphop_virtual_machine:4.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "428F37ED-6B16-4A78-A7DC-01042F96C0D7", "vulnerable": true}, {"criteria": "cpe:2.3:a:facebook:hiphop_virtual_machine:4.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "891439D0-5C5C-4DAE-ADD5-4541BE8056A7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Call to the scrypt_enc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r and p). This happens if the parameters are configurable by an attacker for instance by providing the output of scrypt_enc() in a context where Hack/PHP code would attempt to verify it by re-running scrypt_enc() with the same parameters. This could result in information disclosure, memory being overwriten or crashes of the HHVM process. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series."}, {"lang": "es", "value": "La llamada a la funci\u00f3n scrypt_enc () en HHVM puede provocar da\u00f1os en el mont\u00f3n mediante el uso de par\u00e1metros espec\u00edficamente dise\u00f1ados (N, r y p). Esto sucede si los par\u00e1metros son configurables por un atacante, por ejemplo, proporcionando la salida de scrypt_enc () en un contexto donde el c\u00f3digo Hack / PHP intentar\u00eda verificarlo volviendo a ejecutar scrypt_enc () con los mismos par\u00e1metros. Esto podr\u00eda dar lugar a la divulgaci\u00f3n de informaci\u00f3n, la sobrescritura de memoria o el bloqueo del proceso HHVM. Este problema afecta a las versiones 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versiones 3.30.5 y anteriores, y todas las versiones de las series 4.0, 4.1 y 4.2."}], "id": "CVE-2019-3570", "lastModified": "2020-10-16T15:14:37.373", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-18T16:15:12.297", "references": [{"source": "cve-assign@fb.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/facebook/hhvm/commit/cc331e4349e91706a673e2a09f1f2ea5bbb33815"}, {"source": "cve-assign@fb.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-122"}], "source": "cve-assign@fb.com", "type": "Secondary"}]}