Researchers at Cisco Talos discovered two buffer overflow vulnerabilities in OpenCV version 4.1.0, namely CVE-2019-5063 (CVSS score 8.8) and CVE-2019-5064 (CVSS score 8.8).
OpenCV (Open source computer vision) is a library of programming functions mainly aimed at real-time computer vision. Originally developed by Intel, it was later supported by Willow Garage then Itseez (which was later acquired by Intel). The library is cross-platform and free for use under the open-source BSD license.
OpenCV supports the deep learning frameworks TensorFlow, Torch/PyTorch and Caffe.
Major technology companies including Google, Yahoo, Microsoft, Intel, IBM, Sony, Honda, Toyota, etc. use the library to develop facial recognition technology, robotics, motion tracking, and other solutions.
An exploitable heap buffer overflow vulnerability exists in the data structure persistence feature of OpenCV version 4.1.0. A specially crafted JSON file may cause a buffer overflow, resulting in multiple heap corruptions and possible code execution. An attacker could provide a specially crafted file to trigger this vulnerability.
The first vulnerability, CVE-2019-5063 (CVSS score 8.8), is a heap buffer overflow vulnerability that resides in the data structure persistence feature of OpenCV 4.1.0. This vulnerability allows developers to write to/from OpenCV And retrieve files on the OpenCV data structure disk.
According to Talos, when parsing an XML file containing a reference to a potential character entity and encountering the “&” character, the API continues to extract alphanumeric characters until a semicolon. If the string does not match any of the strings in the switch statement, the data is copied to the buffer as is.
This allows an attacker to create special XML files and trigger a buffer overflow, which can cause multiple heap corruptions and potential code execution.
Talos explained that the second vulnerability, CVE-2019-5064 (CVSS score 8.8), is also in the library’s data structure persistence feature and can be triggered using a specially crafted JSON file.
Both of these vulnerabilities were discovered in OpenCV 4.1.0 and reported to the vendor in July 2019. OpenCV 4.2.0 version released at the end of December 2019 has resolved these two buffer overflow vulnerabilities.