Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Longstanding Security Vulnerability Found in LZO Compression Algorithm

A serious security hole that has been plaguing the Lempel-Ziv-Oberhumer (LZO) algorithm for the past 20 years has been finally patched.

A serious security hole that has been plaguing the Lempel-Ziv-Oberhumer (LZO) algorithm for the past 20 years has been finally patched.

The LZO algorithm was created in 1994 by Markus Oberhumer, whose core open source implementation has been rewritten by numerous companies. LZO has been used for compression and decompression in various software applications, including OpenVPN, MPlayer2, Libav, FFmpeg, the Linux kernel, Android, iOS and even in the embedded systems that power NASA’s Mars Curiosity Rover.

The details of the vulnerability were disclosed on Thursday by Don A. Bailey, founder and CEO of Lab Mouse Security, who explained that all implementations, including the recent LZ4 which is used in Solaris and FreeBSD, inherited a “subtle” integer overflow vulnerability that could lead to denial-of-service (DoS) and even remote code execution.

“Each variant of the LZO and LZ4 implementation is vulnerable in slightly different ways. The attacker must construct a malicious payload to fit each particular implementation. One payload cannot be used to trigger more than a DoS on each implementation. Because of the slightly different overflow requirements, state machine subtleties, and overflow checks that must be bypassed, even a worldwide DoS is not a simple task,” Bailey said in a blog post.
“This results in completely different threats depending on the implementation of the algorithm, the underlying architecture, and the memory layout of the target application. Remote Code Execution (RCE) is possible on multiple architectures and platforms, but absolutely not all. Denial of Service is possible on most implementations, but not all. Adjacent Object Over-Write (OOW) is possible on many architectures,” he added.

According to Bailey, his company has contacted vendors who use the vulnerable algorithm and they’ve all provided patches for their products. Lab Mouse has published only limited technical information on the flaw to give users time to patch their installations.

Trey Ford, global security strategist at Rapid7, noted that the LZO algorithm vulnerability can be exploited for remote code execution only in certain circumstances  ̶  for instance, the attacker needs to include malicious code in a file that’s accessed through a vulnerable system.

“You’re not looking at sites like YouTube or Vimeo here, more like direct peer-to-peer content sharing,” Ford told SecurityWeek. “LZO compression is used all over the place. You will find it in practically all variants of Linux including Solaris, iOS and Android, so the impact of this vulnerability will likely be extremely widespread, affecting servers, desktops, laptops, phones – almost anything you might view a video on.”

The expert advises consumers to apply patches for video players, plugins and converters as soon as possible, and in the meantime avoid running video files unless really needed. In addition, users are recommended to refrain from visiting websites that auto-run video.

Advertisement. Scroll to continue reading.

“For businesses, there is potential for mail gateway AV scanners to be the greatest threat, and it looks like 8 out of the top 53 AV solutions on VirusTotal are currently showing they can decode the LZ4, potentially opening the door to exploitation.  IT departments should prioritize a patching strategy.  We may also see this impact compression archive utilities and anti-virus tools, only time will tell. In a matter of time attackers will have both Denial of Service capabilities, and in some cases the ability to execute code remotely,” Ford said.

 “The frustrating thing is that this will likely be another textbook case of slow patching for embedded and consumer devices putting people at further risk for longer. Keep an eye open for mobile phone updates – I am particularly concerned about Android devices that have carrier controlled patch cycles.  For all users receiving ‘click here to see this video’ messages, that click just got scary.”

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.