The link in the HN submission contains the same text and excerpt from your link.
Additionally they note: -
"While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."
IMO, probably in of itself, this alone is not able to do much besides maybe a crash / Denial of Service on modern systems. But it might be able to be used as part of a more advanced exploit chain, alongside other vulnerabilities, to potentially reach remote code execution, though this would be a much more sophisticated exploit and is maybe a bit of a reach. Still, I hesitate to call it impossible on modern systems due to the creativity of exploit developers.
> though this would be a much more sophisticated exploit and is maybe a bit of a reach.
Not necessarily. I have successfully exploited stack buffer overflows in major products despite stack canaries, ASLR, and DEP. It largely depends on context; if the vector is something that can be hit repeatedly, such a webform that that takes a cert or whatever, that simplifies things a lot versus something like a file format exploit, where you probably only get one chance. While I haven't analyzed this vulnerability, I would absolutely assume exploitability even if I couldn't see a way myself.
"Modern platform" is doing a lot of lifting; CMS and PKCS#7 rear their heads in all kinds of random places, like encryption/signing of OTA updates for routers. Those platforms are often (unreasonably) 10-20 years behind the norm for compile-time mitigations.
OpenSSL is used by approximately everything under the sun. Some of those users will be vendors that use default compiler flags without stack cookies. A lot of IoT devices for example still don't have stack cookies for any of their software.
It depends on what mitigations are in place and the arrangement of the stack. Even with stack canaries, having an unfortunate value on the stack e.g. a function pointer can still be quite dangerous if it can be overwritten without hitting any of the stack canaries.
I’ll answer to myself: an RCE is very unlikely on any modern platform. DoS is possible.
“ Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution.”
From: https://openssl-library.org/news/secadv/20260127.txt
The link in the HN submission contains the same text and excerpt from your link.
Additionally they note: -
"While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."
IMO, probably in of itself, this alone is not able to do much besides maybe a crash / Denial of Service on modern systems. But it might be able to be used as part of a more advanced exploit chain, alongside other vulnerabilities, to potentially reach remote code execution, though this would be a much more sophisticated exploit and is maybe a bit of a reach. Still, I hesitate to call it impossible on modern systems due to the creativity of exploit developers.
> though this would be a much more sophisticated exploit and is maybe a bit of a reach.
Not necessarily. I have successfully exploited stack buffer overflows in major products despite stack canaries, ASLR, and DEP. It largely depends on context; if the vector is something that can be hit repeatedly, such a webform that that takes a cert or whatever, that simplifies things a lot versus something like a file format exploit, where you probably only get one chance. While I haven't analyzed this vulnerability, I would absolutely assume exploitability even if I couldn't see a way myself.
You are right. I linked a differently formatted article with the same content. I don’t know why I didn’t initially notice such text.
"Modern platform" is doing a lot of lifting; CMS and PKCS#7 rear their heads in all kinds of random places, like encryption/signing of OTA updates for routers. Those platforms are often (unreasonably) 10-20 years behind the norm for compile-time mitigations.
OpenSSL is used by approximately everything under the sun. Some of those users will be vendors that use default compiler flags without stack cookies. A lot of IoT devices for example still don't have stack cookies for any of their software.
Yes, but it would likely have to be chained with other bugs - at minimum, something that gives you an info leak.
It depends on what mitigations are in place and the arrangement of the stack. Even with stack canaries, having an unfortunate value on the stack e.g. a function pointer can still be quite dangerous if it can be overwritten without hitting any of the stack canaries.
That depends on how aggressively the service is restarted.