CVE-2020-28615

Vulnerability

An out-of-bounds read vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal version CGAL-5.1.1. The bug resides in the SNC_io_parser::read_vertex() function within Nef_S2/SNC_io_parser.h, where an improper validation of array index (CWE-129) occurs when processing a specially crafted malformed .nef3 file. This can lead to type confusion and potentially code execution. The affected code path is reachable when parsing Nef polygons, a common operation in CGAL-based applications [1].

Exploitation

An attacker can exploit this vulnerability by providing a maliciously crafted .nef3 file to an application that uses the CGAL library. No authentication or user interaction is required; the attack can be launched remotely over a network. The CVSSv3 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) reflects the ease of exploitation. The malformed file triggers an out-of-bounds read in read_vertex(), which can then lead to type confusion and arbitrary code execution [1].

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution in the context of the process using CGAL. This can lead to full compromise of confidentiality, integrity, and availability of the affected system. The impact is critical, as the vulnerability can be triggered without any prior access or privileges [1].

Mitigation

The vulnerability is fixed in CGAL version 5.4.1 and later. Users should upgrade to at least this version. The Gentoo security advisory (GLSA 202305-34) recommends upgrading to >=sci-mathematics/cgal-5.4.1. No known workaround exists for this issue [2].