search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Embarcadero Delphi and C++Builder VCL BMP file processing buffer overflow

Vulnerability Note VU#646748

Original Release Date: 2014-09-11 | Last Revised: 2014-12-12

Overview

Embarcadero Delphi and C++ Builder Visual Component Library (VCL) bitmap (BMP) file processing code contains a buffer overflow that could allow an attacker to execute arbitrary code.

Description

Embarcadero Delphi and C++ Builder tools contain a buffer overflow (CWE-119) in VCL BMP file processing code (Vcl.Graphics.TPicture.Bitmap). Core Security Technologies advisory CORE-2014-0004 provides further details, including more specific information about vulnerable development tools. Any application built with a vulnerable VCL version are likely to also be vulnerable.

Impact

An attacker who can cause a vulnerable application to process a specially crafted BMP file could execute arbitrary code. Whether or not the attacker is remote or authenticated depends on the interfaces and behavior of the vulnerable application.

Solution

Update

Embarcadero has released a hotfix for XE6-series tools and provided documentation for older tools on how to modify VCL source code.

Rebuild applications

After updating using the hotfix or manually editing the VCL source code, rebuild applications using the updated VCL code.

Vendor Information

646748
 
Affected   Unknown   Unaffected

Embarcadero Technologies

Notified:  July 09, 2014 Updated:  September 11, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 6.8 E:POC/RL:ND/RC:C
Environmental 5.1 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Marcos Accossatto and JoaquÌn RodrÌguez Varela from Core Security Technologies and Mike Devery from Embarcadero.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2014-0993
Date Public: 2014-08-20
Date First Published: 2014-09-11
Date Last Updated: 2014-12-12 16:24 UTC
Document Revision: 27

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.