Summary
Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk.
Products not listed in the Impact Details section have not been evaluated. Furthermore, products that have exceeded any software maintenance time periods are also not evaluated and will not be published. Please consult End of Sale and End of Service Life - Extreme Networks for the EOL notices related to the product under question.
Products Potentially Affected
|
OS/Product
|
Exposure
|
|
ExtremeAnalytics for Site Engine
|
Yes
|
|
ExtremeCloud IQ - Site Engine (XIQ-SE)
|
Yes
|
|
ExtremeControl for Site Engine
|
Yes
|
|
ExtremeCloud IQ Controller (IQC/XCC)
|
Yes
|
Repair Recommendations
- ExtremeAnalytics for Site Engine:
- Fixed in 26.02.11 or later.
- ExtremeCloud IQ - Site Engine (XIQ-SE):
- Fixed in 26.02.11 or later.
- ExtremeControl for Site Engine:
- Fixed in 26.02.11 or later.
- ExtremeCloud IQ Controller (IQC/XCC):
- Fixed in 10.19.01 or later.
Please see the full Security Advisory article here for more details and future updates.
