Published:2022/08/04  Last Updated:2022/08/04

JVN#42883072
Kaitai Struct: compiler vulnerable to denial-of-service (DoS)

Overview

Kaitai Struct: compiler contains a denial-of-service (DoS) vulnerability.

Products Affected

  • Kaitai Struct: compiler 0.9 and earlier

Description

Kaitai Struct: compiler provided by Kaitai team contains SnakeYAML library version 1.25, which is used in parsing .ksy files.
SnakeYAML version 1.25 expands recursive aliases unlimitedly (CWE-674), hence Katai Struct: compiler is vulnerable to a denial-of-service (DoS) attack by Billion Laughs Attack.

Impact

Processing untrusted .ksy files may cause a denial-of-service (DoS) condition.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
According to the developer, this vulnerability has been fixed at version 0.10 by updating the bundled SnakeYAML library.

Vendor Status

Vendor Link
Kaitai team kaitai-io / kaitai_struct_compiler
Update SnakeYAML to 1.29 (was 1.25: vulnerable to "billion laughs")

References

  1. snyk
    Preventing YAML parsing vulnerabilities with snakeyaml in Java

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score: 5.5
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:N/A:P
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Taichi Kotake of Sterra Security Co.,Ltd. / Akatsuki Games Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2017-18640
JVN iPedia JVNDB-2022-000062