CVE-2023-43690 – Malwarebytes, Nebula – Integer Signedness

SUMMARY:

An denial of service was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later).  There is an Integer signedness comparison issue when comparing an allocated buffer size and a memory range, causing the comparison to almost always return true, causing the denial of service.

AFFECTED VERSIONS

  • Malwarebytes 4 versions < 4.6.14.326
  • Malwarebytes 5 versions < 5.1.5.116
  • Nebula platform before June 2024, Endpoint Agent version < 2.0.0.64, Protection Service version < 4.6.17.334

PATCHED VERSIONS

  • Malwarebytes 4 versions >= 4.6.14.326 | Component version 1.0.2348 , Update Package version >= 1.0.85245
  • Malwarebytes 5 versions >= 5.1.5.116 | Component version 1.0.1252 , Update Package version >= 1.0.85245
  • Nebula platform June 2024, Endpoint Agent version >= 2.0.0.64, Protection Service version >= 4.6.17.334

MITIGATION ADVICE

We recommend upgrading the affected endpoints to the patched versions.

DETAILS

CWECVS 3.xVector
CWE-704: Incorrect Type Conversion or CastMediumLocal

RECOGNITION

X41-Dsec

REFERENCES

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43690