Facebook anunciou que atualizou seu software de servidor HHVM que elimina a possibilidade de que ele seja explorado. A empresa anunciou que havia dois bugs críticos nele. The vulnerabilities allow the hackers to obtain sensitive data or cause a denial of service attack by uploading a malicious JPEG image.
Facebook has updated their HHVM server software by fixing two critical errors that have been identified in it. These bugs are rated as “crítico” by the social network and concern the fact that by exploiting the JPEG processing engine. The criminals have found that they can construct dangerous image files that can be used to lead to denial of service or data theft. The problem lies within the HHVM engine, short for HipHop Virtual Machine which is the service which has been developed by Facebook. Its purpose is to execute programs written in the Hack and PHP programming languages in a high-performance mode. Its code is open-source meaning that other platforms that use it for their own portals.
Exemplos são Wikipedia e Box which also share the same image uploading schemes. The origins of the vulnerabilities are presumed to be caused by a memory overflow in one of the extensions. The result of the image processes will lead to a so-called out-of-bounds — this means that the malfunctioning program (in the case of HHVM) can read data from outside of the allocated memory. As a result of the weakness the problems have been classified in the following advisories:
- CVE-2019-11925 — Insufficient boundary check issues occur when processing the JPEG APP12 block marker in the GD extension, allowing potential attackers to access out-of-bounds memory via a maliciously crafted invalid JPEG input.
- CVE-2019-11926 — Insufficient boundary check issues occur when processing M_SOFx markers from JPEG headers in the GD extension, allowing potential attackers to access out-of-bounds memory via a maliciously crafted invalid JPEG input.
All services that use the HHVM service are urged to update their installations to the latest version.