CVE-2024-8375

Name of the Vulnerable Software and Affected Versions: Reverb versions prior to the version including git commit 6a0dcf4c9e842b7f999912f792aaa6f6bd261a25

Description: There exists a use after free vulnerability in Reverb. Reverb supports the VARIANT datatype, which is supposed to represent an arbitrary object in C++. When a tensor proto of type VARIANT is unpacked, memory is first allocated to store the entire tensor, and a constructor is called on each instance. Afterwards, Reverb copies the content in tensor content to the previously mentioned pre-allocated memory, which results in the bytes in tensor content overwriting the vtable pointers of all the objects which were previously allocated. Reverb exposes two relevant gRPC endpoints: "InsertStream" and "SampleStream". The attacker can insert this stream into the server’s database, then when the client next calls "SampleStream" they will unpack the tensor into RAM, and when any method on that object is called (including its destructor) the attacker gains control of the Program Counter.

Recommendations: Upgrade past git commit 6a0dcf4c9e842b7f999912f792aaa6f6bd261a25 to resolve the issue. As a temporary workaround, consider restricting access to the "InsertStream" and "SampleStream" endpoints until the upgrade is applied. Avoid using the tensor content variable in the affected API endpoints until the issue is resolved.