Longstanding Security Vulnerability Found in LZO Compression Algorithm

A serious security hole that has been plaguing the Lempel-Ziv-Oberhumer (LZO) algorithm for the past 20 years has been finally patched.

The LZO algorithm was created in 1994 by Markus Oberhumer, whose core open source implementation has been rewritten by numerous companies. LZO has been used for compression and decompression in various software applications, including OpenVPN, MPlayer2, Libav, FFmpeg, the Linux kernel, Android, iOS and even in the embedded systems that power NASA’s Mars Curiosity Rover.

The details of the vulnerability were disclosed on Thursday by Don A. Bailey, founder and CEO of Lab Mouse Security, who explained that all implementations, including the recent LZ4 which is used in Solaris and FreeBSD, inherited a “subtle” integer overflow vulnerability that could lead to denial-of-service (DoS) and even remote code execution.

“Each variant of the LZO and LZ4 implementation is vulnerable in slightly different ways. The attacker must construct a malicious payload to fit each particular implementation. One payload cannot be used to trigger more than a DoS on each implementation. Because of the slightly different overflow requirements, state machine subtleties, and overflow checks that must be bypassed, even a worldwide DoS is not a simple task,” Bailey said in a blog post.
“This results in completely different threats depending on the implementation of the algorithm, the underlying architecture, and the memory layout of the target application. Remote Code Execution (RCE) is possible on multiple architectures and platforms, but absolutely not all. Denial of Service is possible on most implementations, but not all. Adjacent Object Over-Write (OOW) is possible on many architectures,” he added.

According to Bailey, his company has contacted vendors who use the vulnerable algorithm and they’ve all provided patches for their products. Lab Mouse has published only limited technical information on the flaw to give users time to patch their installations.

Trey Ford, global security strategist at Rapid7, noted that the LZO algorithm vulnerability can be exploited for remote code execution only in certain circumstances  ̶  for instance, the attacker needs to include malicious code in a file that’s accessed through a vulnerable system.

“You’re not looking at sites like YouTube or Vimeo here, more like direct peer-to-peer content sharing,” Ford told SecurityWeek. “LZO compression is used all over the place. You will find it in practically all variants of Linux including Solaris, iOS and Android, so the impact of this vulnerability will likely be extremely widespread, affecting servers, desktops, laptops, phones – almost anything you might view a video on.”

The expert advises consumers to apply patches for video players, plugins and converters as soon as possible, and in the meantime avoid running video files unless really needed. In addition, users are recommended to refrain from visiting websites that auto-run video.

“For businesses, there is potential for mail gateway AV scanners to be the greatest threat, and it looks like 8 out of the top 53 AV solutions on VirusTotal are currently showing they can decode the LZ4, potentially opening the door to exploitation.  IT departments should prioritize a patching strategy.  We may also see this impact compression archive utilities and anti-virus tools, only time will tell. In a matter of time attackers will have both Denial of Service capabilities, and in some cases the ability to execute code remotely,” Ford said.

 “The frustrating thing is that this will likely be another textbook case of slow patching for embedded and consumer devices putting people at further risk for longer. Keep an eye open for mobile phone updates – I am particularly concerned about Android devices that have carrier controlled patch cycles.  For all users receiving ‘click here to see this video’ messages, that click just got scary.”