CVE-2016-20034 – Wowza Streaming Engine 4.5.0 Privilege Escalation via user edit

Immediately identify all systems and applications that utilize or link against the libdwarf library. This includes development tools, debuggers, analysis tools, and any custom software processing DWARF debug information. Prioritize systems that process untrusted DWARF data or are exposed to external networks.

If immediate patching is not feasible or if there is suspicion of compromise, isolate affected systems from critical networks. Review system logs, application crash logs, and security event logs for any unusual activity, unexpected process terminations, or memory access violations that might indicate an attempted or successful exploitation. Preserve forensic images of potentially compromised systems for later analysis. Consider temporarily disabling or restricting access to services that process DWARF information from untrusted sources.

2. PATCH AND UPDATE INFORMATION

The vulnerability CVE-2016-20034 affects the libdwarf library, specifically a heap-based buffer overflow in the _dwarf_internal_init_info function in dwarf_info.c. This issue can lead to denial of service (application crash) or potentially arbitrary code execution when processing specially crafted DWARF data.

To remediate this vulnerability, update the libdwarf library to a patched version. The fix was introduced in libdwarf version 20160223.

Actionable steps:
a. Identify the version of libdwarf installed on your systems.
b. For systems running Linux distributions, use the distribution's package manager to update libdwarf. For example:
– Debian/Ubuntu: sudo apt update && sudo apt upgrade libdwarf-dev
– Red Hat/CentOS/Fedora: sudo yum update libdwarf or sudo dnf update libdwarf
– Arch Linux: sudo pacman -Syu libdwarf
c. For applications that statically link libdwarf, the application itself will need to be recompiled against the patched version of the library. Contact the software vendor for updates if you are using third-party applications.
d. After updating, restart any services or applications that rely on libdwarf to ensure they load the patched version of the library.

3. MITIGATION STRATEGIES

If immediate patching is not possible, implement the following mitigation strategies to reduce the risk of exploitation:

a. Input Validation and Sanitization: If your application processes DWARF data from untrusted sources, implement robust input validation to detect and reject malformed or excessively large DWARF sections before they are processed by libdwarf. While difficult to do comprehensively for complex formats like DWARF, basic checks can reduce the attack surface.
b. Least Privilege: Run any services or applications that utilize libdwarf with the absolute minimum necessary privileges. This limits the potential impact of a successful exploit.
c. Sandboxing and Isolation: Execute applications that process DWARF data within a sandboxed environment (e.g., chroot, containers, virtual machines). This can contain the impact of an exploit, preventing it from affecting the host system or other critical resources.
d. Network Filtering: Implement network-level filtering to block or restrict access to services that consume DWARF data, especially from untrusted external networks.
e. Memory Protection: Ensure that operating system-level memory protection features such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) or No-Execute (NX) bit are enabled on all affected systems. These features make exploitation of buffer overflows more difficult.
f. Resource Limits: Set resource limits (e.g., memory limits, CPU time limits) for processes that handle DWARF data to prevent resource exhaustion attacks that might be triggered by