CVE-2023-36864

Vulnerability

An integer overflow vulnerability exists in the fstReaderIterBlocks2 function's temp_signal_value_buf allocation within GTKWave version 3.3.115. The bug is triggered when opening a specially crafted .fst file, where the computation of buffer size wraps around due to integer overflow (CWE-190), leading to an undersized allocation. This can be exploited without any special configuration; simply opening the malicious file via the GUI or command line (e.g., by double-clicking a wave file received by email) reaches the vulnerable code path [1].

Exploitation

An attacker needs only to craft a malicious .fst file and deliver it to a victim, who must open it using GTKWave. No authentication, special network position, or user interaction beyond opening the file is required. The integer overflow occurs during the allocation for temp_signal_value_buf inside fstReaderIterBlocks2, and subsequent memory operations based on the undersized buffer can lead to heap corruption. The victim triggering the file open via GUI or command-line tool is the sole step needed [1].

Impact

Successful exploitation results in arbitrary code execution under the privileges of the victim running GTKWave. This allows complete compromise of confidentiality, integrity, and availability of the affected system (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, score 7.8) [1].

Mitigation

No fixed version has been disclosed in the advisory from Cisco Talos (TALOS-2023-1797). As of the publication date (2024-01-08), users are advised to avoid opening .fst files from untrusted sources. No workaround or patch details are provided, and this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog [1].