CVE-2023-37416

Vulnerability

Multiple out-of-bounds write vulnerabilities exist in the parse_valuechange portdump functionality of GTKWave version 3.3.115. The bug resides in the legacy VCD parsing code used by the GUI and several conversion utilities (vcd2lxt, vcd2lxt2, vcd2vzt). The vcd_parse function processes each line of a VCD file and, during token handling, does not properly validate write bounds when storing value change information. A specially crafted .vcd file can trigger out-of-bounds writes, as confirmed by Cisco Talos advisory TALOS-2023-1804 [1].

Exploitation

An attacker can exploit these vulnerabilities by crafting a malicious .vcd file and convincing a victim to open it using the GTKWave GUI or a vulnerable command-line converter. No special network position or authentication is required; only user interaction (opening the file) is needed. The out-of-bounds write occurs when the parse_valuechange function is invoked, leading to memory corruption that can be leveraged for code execution [1].

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution in the context of the GTKWave process. This compromises the confidentiality, integrity, and availability (CIA) of the system. The CVSS v3.1 score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating full compromise of the local system [1].

Mitigation

As of the publication date (2024-01-08), no patched version of GTKWave has been released. The vulnerability is confirmed in GTKWave 3.3.115; users should avoid opening untrusted .vcd files with this version. Monitor the GTKWave project for updates that fix the out-of-bounds write issues. No workarounds are provided in the available references [1].