JFrog Senior Security Researcher Reveals Critical X.Org libX11 Vulnerabilities
CXOToday has engaged in an exclusive interview with Yair Mizrahi, Senior Security Researcher at JFrog
- Describe the two vulnerabilities discovered in X.Org libX11 as mentioned in the report.
X.Org libX11 is a widely popular graphics library. The recently discovered and fixed security vulnerabilities, CVE-2023-43786 and CVE-2023-43787 (with a high NVD severity CVSS 7.8), cause a denial-of-service and remote code execution.
- The CVE-2023-43786 DoS vulnerability is an infinite loop resulting from an incorrect recursion stop condition calculation. The vulnerability occurs when parsing a malformed XPM image.
- The CVE-2023-43787 RCE vulnerability is a heap-based buffer overflow vulnerability that occurs when parsing a malformed XPM image, which can be exploited to achieve remote code execution.
2. What is the impact of Denial-of-Service vulnerability on systems using X.Org libX11?
The CVE-2023-43786 DoS vulnerability can crash a remote service that parses user-supplied XPM images.
The CVE-2023-43787 RCE vulnerability can potentially allow attackers to remotely execute code on a remote service that parses user-supplied XPM images.
3. Explain the technical details of the DoS vulnerability and how it can be triggered.
The function that is responsible for transferring pixel data from an XImage structure to a designated drawable object did not take into consideration a part of the calculation (bits_per_pixel), which resulted in an endless loop of recursion with the same arguments.
For the full analysis, refer to the DoS vulnerability – CVE-2023-43786 section.
4. How did the security team propose a fix for the DoS vulnerability?
The security team did not propose a fix for the DoS, but for the RCE vulnerability.
After extensively researching the RCE vulnerability and fully understanding it, we proposed a fix for it via the responsible disclosure process with the libXPM maintainers.
Alan Coopersmith of Oracle Solaris Engineering who triaged both vulnerabilities fixed the DoS vulnerability.
5. How does the JFrog Security team confirm that the JFrog Platform is not vulnerable to the mentioned CVEs?
After conducting an internal analysis, we can confirm that the JFrog Platform is not vulnerable to CVE-2023-43786 or CVE-2023-43787. Our dedicated application security team triages such cases and ensures none of our codebase is vulnerable. For example, in this case, the JFrog Platform never parses XPM images and therefore is not vulnerable.
