Vulnerabilities in zlib affecting ETAS Products
First released: 2022-04-11
Last updated: 2022-05-18
Status: final
Summary
Critical vulnerability in zlib, an open source library for compression and decompression of data written in the C programming language.
On 2022-04-06, the following critical vulnerability in zlib affecting all versions < 1.2.12 was disclosed:
- CVE-2018-25032: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
ETAS's Response to These Vulnerabilities
ETAS assessed all products and services for impact from all listed CVEs. Product fixes listed on this page will address all listed CVEs unless otherwise noted.
Due to the nature of the library, ETAS products might be affected as ETAS software is using zlib either directly or have it contained e.g. as part of an operating system.
We are compiling and analyzing a list of affected products and will continuously update this webpage with the latest available information.
Affected Products
Zlib is included in multiple ETAS products. We have performed an internal risk assessment regarding all variants of the vulnerability's exploitability and impact for our desktop and embedded applications.
In summary, an exploitation of the vulnerability is unlikely due to the following factors:
- The vulnerability requires very specific parameters to be set when calling the zlib compression function.
- These parameters are not used anywhere within our code.
- Data compressed by our applications also originate from the application itself or from other trusted sources.
A successful triggering of the vulnerability could thus only happen when the included zlib-instances are called directly (outside of our program flow). In this case, an attacker would have to execute a call to the zlib library directly on a local machine. Since this would not allow for any privilege escalation or code execution where the attacker could not execute code before, the impact seems minimal to non-existent.
Therefore, ETAS sees no urgency to release hotfix or emergency updates but will replace instances of zlib with the next upcoming releases as part of the regular patch cycle for the following products:
Vulnerable Products
| Product/Service | Report | Hotfix | Fixed Release |
|---|---|---|---|
|
Product/Service
Data Acquisition and Processing
|
Report
|
Hotfix
|
Fixed Release
|
|
Product/Service
INCA
MDA INCA-EIP INCA-FLEXRAY INCA-LIN INCA-MCE INCA-MIP INCA-QM-BASIC Engineering shiped with product: INCA-TOUCH ODX-LINK |
Report
N/A
|
Hotfix
N/A
|
Fixed Release
V7.4.1
|
|
Product/Service
INCA-FLOW
|
Report
N/A
|
Hotfix
N/A
|
Fixed Release
V4.13
|
|
Product/Service
INCA-RDE
|
Report
N/A
|
Hotfix
N/A
|
Fixed Release
V1.9
|
|
Product/Service
Development Tools
|
Report
|
Hotfix
|
Fixed Release
|
|
Product/Service
COSYM-PC
Integrator COSYM-CAR COSYM-PA CEE SIMULATOR |
Report
N/A
|
Hotfix
N/A
|
Fixed Release
03. Feb
|
Products Confirmed Not Vulnerable
Data Acquisition and Processing
- EHOOKS
- EHOOKS-CAL
- EHOOKS-BYP
- RALO
Development Tools
- LABCAR-MODEL
Vehicle OS
- ISOLAR
- ISOLAR-A
- ISOLAR-B
- ISOLAR-EVE
- RTA
-
- RTA-CAR
- RTA-OS
- RTA-RTE
- RTA-BSW
- RTA-FBL
- RTA-VRTE
- RTA-LWHVR
- RTA-SUM
- MCAL-IFX
Security Products
- CycurLIB
- CycurTLS
- CycurHSM
- CycurGUARD