zlib Vulnerability

Is dSPACE software affected by the zLib vulnerabilities?

We are getting requests from our customers who are concerned about the so-called zlib vulnerabilities.

The security vulnerabilities are related to zlib library, a C-based open source library for compression and decompression of data in multiple environments.

Based on our software dependency analysis, dSPACE products are affected by the below listed vulnerabilitiy, since dSPACE Software is using zlib either directly or indirectly via third party libraries.
Our risk analysis regarding the zlib vulnerability CVE-2018-25032 showed the following picture for dSPACE products.

 

  1. A possible exploitation of the vulnerability is very unlikely:
  • There is no place in our source code where the potentially vulnerable function (deflateinit2) is called with the parameters Z_FIXED.
  • The data to be compressed in the workflow of our products are prepared by our products and their content is difficult to influence.
  • Only in the products in which the zlib is available as a DLL can you influence this parameter via a direct call of the zlib.
  1. The possible damage in case of exploitation of the error is small:
  • No secret/protected data (access data, personal information) is kept in the memory of our products.
  • In case of a crash of our programs triggered by the bug, measurement data can be lost.
  • There is currently no exploit where arbitrary code can be executed. Code would only be executed in the context of the current user.

 

Accordingly, dSPACE does not see any acute need for action and will replace the used version with the fixed version in the next regular release for the following affected products.

  • ASM
  • AutomationDesk
  • ConfigurationDesk
  • ControlDesk
  • ModelDesk
  • Platform API Package
  • Python Extensions
  • RealTimeTesting
  • SIMPHERA

To remediate the zlib vulnerability in the affected products MotionDesk and SensorSim please update to AURELION, since AURELION is our new product for visualization and sensor simulation and replaces the deprecated tools MotionDesk and SensorSim. In case such a replacement is not possible, please contact your respective sales representative for a solution. There will be no update to the deprecated product ASM_KNC. In case an update is needed due to own risk assessment, please contact your respective sales representative for a solution.

CVE Dictionary Entry Description and assessment
CVE-2018-25032 This vulnerability could lead to crash or custom code execution if customized input data is compressed using the Z_FIXED option during compression. Affected versions are 1.2.2.2 until 1.2.11.

Tags
Date 2022-06-27
Information Type Notifications
Information Category Product Security, Troubleshooting
dSPACE Release 2022-A, 2021-B, 2021-A, 2020-B, 2020-A, 2019-B, 2019-A, 2018-B, 2018-A, 2017-B , 2017-A, 2016-B, 2016-A, 2015-B, 2015-A, 2014-B, 2014-A, 2013-B, 2013-A, Prior to 2013-A

Drive innovation forward. Always on the pulse of technology development.

Subscribe to our expert knowledge. Learn from our successful project examples. Keep up to date on simulation and validation. Subscribe to/manage dSPACE direct and aerospace & defense now.

Enable form call

At this point, an input form from Click Dimensions is integrated. This enables us to process your newsletter subscription. The form is currently hidden due to your privacy settings for our website.

External input form

By activating the input form, you consent to personal data being transmitted to Click Dimensions within the EU, in the USA, Canada or Australia. More on this in our privacy policy.