Threat Advisory

Open Babel Flaw Lets Attackers Write Arbitrary Memory

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A memory-safety vulnerability affecting openbabel versions < 3.2.0 affecting openbabel versions All releases up to and including 3 in Open Babel's MOPAC output parser, identified as CVE-2022-46292 with a CVSS score of 7.8, affects all releases up to and including version 3.1.1. This flaw allows an out-of-bounds write into the translationVectors array when reading the UNIT CELL TRANSLATION block of a crafted input file, enabling an attacker to trigger this vulnerability by opening a malicious MOPAC output file with the obabel tool or any language bindings. The business impact is significant, as Open Babel is used in services that parse untrusted input such as Linux distributions and embedded systems, potentially leading to arbitrary memory writes and data corruption.

RECOMMENDATION:

We recommend you to update openbabel to version 3.2.0.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A memory-safety vulnerability affecting openbabel versions < 3.2.0 affecting openbabel versions All releases up to and including 3 in Open Babel's MOPAC output parser, identified as CVE-2022-46292 with a CVSS score of 7.8, affects all releases up to and including version 3.1.1. This flaw allows an out-of-bounds write into the translationVectors array when reading the UNIT CELL TRANSLATION block of a crafted input file, enabling an attacker to trigger this vulnerability by opening a malicious MOPAC output file with the obabel tool or any language bindings. The business impact is significant, as Open Babel is used in services that parse untrusted input such as Linux distributions and embedded systems, potentially leading to arbitrary memory writes and data corruption.

RECOMMENDATION:

We recommend you to update openbabel to version 3.2.0.[emaillocker id="1283"]

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu