Stack Overflow in p11-kit RPC Message Parsing

Impact Analysis

Exploitation of this vulnerability results in a denial of service by crashing the p11-kit server process through stack exhaustion caused by unbounded recursion.

Since p11-kit is used by various dependent applications such as SSH agents, VPN clients, and web browsers for PKCS#11 module management, these services can also be disrupted, potentially impacting system security and availability.

The attacker does not need authentication beyond local access to the Unix domain socket, making it a risk for local users or processes on the same machine.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in p11-kit, specifically in the RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value(). These functions call each other recursively without any limit on recursion depth when processing certain nested attributes such as CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE.

An attacker with local access to the p11-kit RPC Unix domain socket can send a specially crafted request containing deeply nested template attributes. Because there is no recursion depth limit, this causes stack exhaustion, leading to a crash of the p11-kit server process and any dependent services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the p11-kit server process for crashes or abnormal termination signals such as SIGSEGV or SIGBUS, which indicate stack exhaustion caused by deeply nested RPC attribute parsing.

Since the exploit involves sending specially crafted requests with deeply nested template attributes via the p11-kit RPC Unix domain socket, detection can involve checking for unusual or large C_CreateObject requests targeting this socket.

Suggested commands to help detect potential exploitation attempts include:

• Use system logs to check for p11-kit crashes: `journalctl -u p11-kit` or `dmesg | grep p11-kit`
• Monitor Unix domain socket activity for p11-kit (commonly located in /run or /var/run) using tools like `ss -xl | grep p11-kit` or `lsof -U | grep p11-kit`
• Trace or log RPC calls to the p11-kit socket to identify unusually large or deeply nested attribute requests, possibly using `strace` or custom socket monitoring scripts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the p11-kit RPC Unix domain socket to trusted users only, as exploitation requires local access to this socket.

Additionally, monitor the p11-kit process for crashes and restart it if necessary to maintain service availability.

Applying any available patches or updates from the vendor that address this vulnerability is critical once they are released.

As a temporary measure, consider limiting or disabling services that depend on p11-kit if they are not essential, to reduce the attack surface.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0