Google, Yahoo, Microsoft, Intel, IBM, Sony, Honda, Toyota, among others, affected by critical vulnerabilities in OpenCV

Security flaws in the most commonly used technologies can have disastrous consequences for multiple developers or different companies. A Cisco Talos vulnerability testing team has reported the presence of two buffer overflow flaws in Open Source Computer Vision (OpenCV), a programming library applied to real-time computer vision.

This is a report of considerable seriousness, as this library is used by some of the world’s leading technology companies, including Google, Microsoft, Intel, IBM, Toyota, Yahoo, among others, primarily for projects related to facial recognition technology, robotics, motion sensors, among other applications.

The first flaw, tracked as CVE-2019-5063, was found in the OpenCV v4.1.0 structural data persistence function, exploitable using a specially designed JSON file to cause a buffer overflow, which could cause further damage.

According to the vulnerability testing experts, when parsing an XML file that contains a reference to a potential character entity and finding the character “&”, the API keeps extracting alphanumeric characters until a semicolon is found (;). If the string does not match any of the strings in the change statement, the data is copied to the buffer as it is.

This scenario allows threat actors to create specially designed XML files to trigger the buffer overflow, an action that can function as an initial attack vector to perform other malicious actions, such as code execution target system.

As for the second vulnerability, tracked as CVE-2019-5064, it is also present in the data structural persistence feature, and could be exploited using a specially designed JSON file.

Both vulnerabilities have already been reported to developers. After receiving the report, OpenCV mentioned that version 4.2.0, released during the last days of 2019, already has the fixes for these two bugs, so it is recommended that developers using this library upgrade to this version as soon as possible.  

The New Year began with multiple companies releasing major security updates; just a few days ago, vulnerability testing specialists from the International Institute of Cyber Security (IICS) reported the release of a massive update at Oracle to fix nearly 400 security flaws found in more than 90 different products.