CVE-2023-37574

Vulnerability

Multiple use-after-free (CWE-416) vulnerabilities exist in the vcd_parse function of GTKWave 3.3.115, specifically within the get_vartoken realloc functionality when parsing Value Change Dump (.vcd) files. The flaw is present in the GUI's legacy VCD parsing code as well as in the conversion utilities (vcd2lxt, vcd2lxt2, vcd2vzt). A specially crafted .vcd file can trigger a use-after-free condition, leading to arbitrary code execution [1].

Exploitation

An attacker can exploit this vulnerability by providing a malicious .vcd file to the victim. No authentication or special privileges are required; the victim only needs to open the file using GTKWave's GUI or command-line tools. Double-clicking on the file sent via email is sufficient to trigger the vulnerability. The exploitation relies on the specific crafted tokens in the .vcd file that cause the get_vartoken function to reallocate memory improperly, resulting in a use-after-free [1].

Impact

Successful exploitation results in arbitrary code execution with the privileges of the victim user. This can lead to full compromise of the affected system, including unauthorized access, data theft, malware installation, or further lateral movement within the network. The impact is high for confidentiality, integrity, and availability (CVSSv3 score 7.8) [1].

Mitigation

As of the publication date (2024-01-08), no patched version of GTKWave has been released for this vulnerability. Users should avoid opening .vcd files from untrusted sources. Since the vulnerability is triggered via the GUI's legacy VCD parsing, users may consider using alternative waveform viewers or restricting .vcd file handling. The vendor has been notified, but no official fix or workaround has been provided in the available references [1].