CVE-2023-43688 – Malwarebytes, Nebula – Buffer overflow

SUMMARY:

An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). There is a Heap buffer overflow in various buffer encryption utilities.

AFFECTED VERSIONS

  • Malwarebytes 4 versions < 4.6.14.326
  • Malwarebytes 5 versions < 5.1.5.116
  • Nebula platform before June 2024, Endpoint Agent version <2.0.0.64, Protection Service version <4.6.17.334

PATCHED VERSIONS

  • Malwarebytes 4 versions >= 4.6.14.326 | Component version 1.0.2348, Update Package version >= 1.0.85245
  • Malwarebytes 5 versions >= 5.1.5.116 | Component version 1.0.1252, Update Package version >= 1.0.85245
  • Nebula platform June 2024, Endpoint Agent version >= 2.0.0.64, Protection Service version >= 4.6.17.334

MITIGATION ADVICE

The likelihood of exploitation for this vulnerability is low, as the affected utility functions were never included in the released software packages. Utility functions removed from source code of the patched versions.

We still recommend upgrading to the latest versions of our software.

DETAILS

CWECVS 3.xVector
CWE-122: Heap-based Buffer Overflow7.5 HighLocal

RECOGNITION

X41-Dsec

REFERENCES

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43688