Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 028
• Advisory 027
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 025

TIBCO Rendezvous RVD Daemon Remote Memory Leak DoS

Vulnerability Type / Importance: Remote DoS / High

Problem Discovered: 16 April 2007

Vendor Contacted: 16 April 2007

Advisory Published: 29 November 2007

Abstract:

The TIBCO Rendezvous RVD daemon is vulnerable to a memory leak, which when remotely triggered, prevents any further RV communication until the daemon is manually restarted.

Description:

The RV daemon (RVD) within TIBCO’s Rendezvous messaging product is responsible for the communication of messages between RV-enabled applications. The vulnerability exists as the result of an error in the code that parses information within one of the headers in a TIBCO proprietary network protocol packet.

Technical Details:

Within a Rendezvous “wire format” TCP packet, the first four bytes represent the number of bytes of data to expect within the packet, for example:

"0000007c" //total length of data in packet

"9955eeaa" // "magic" number

"06" // number of following bytes including null

"6d7479706500" //the text “mtype”

...etc

In the above example the number of data bytes in the packet is “0x7c”, or 124 bytes. If this value is set to zero in a packet sent to the RVD daemon then it stops responding to all subsequent communication. This appears to result from a memory leak, which continues to attempt to allocate memory. Eventually, operating system alert messages start to appear, warning that the virtual memory in the underlying operating system is running low.

Vendor & Patch Information:

TIBCO have fixed this issue in Rendezvous 8.0. The issue is documented as being fixed in the release notes as follows: 

1-84MR37 - Fixed a daemon memory growth defect associated with messages of length zero

Workaround:

There are no known workarounds for this vulnerability

Tested/Affected Versions:

IRM confirmed the presence of this vulnerability in Rendezvous versions 7.5.2, 7.5.3 and 7.5.4

Credits:

Research & Advisory: Varun Uppal and Andy Davis

Disclaimer:

All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.