Vulnerability Notice HTC VIVE
CVE NUMBER
Not requested.
CVSS SCORE
3.3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
SUMMARY
Our reverse engineering team discovered an out of bound memory read vulnerability in VIVE’s Business Streaming software. HTC Corporation fixed the vulnerability after we reported it to them via our Coordinated Vulnerability Disclosure (CVD) program.
Impacted Versions
At least the following version is affected (and likely also lower versions).
- HTC VIVE Virtual Audio Driver 0.1.11.7
DETAILS
VIVE, sometimes referred to as HTC VIVE, is a virtual reality brand of HTC Corporation. According to their website, it consists of hardware like its virtual reality headsets and accessories, virtual reality software and services, and initiatives that promote applications of virtual reality in sectors like business, arts, and video gaming. VIVE provides drivers for their virtual reality headsets that must be installed to use the hardware.
One of its kernel drivers creates a device which is readable and writable by any user on the system. One of the supported IOCTL’s seems to be for testing purposes, as it copies a test string to the SystemBuffer. However, instead of copying memory using the size of the testing string, it copies memory based on the size of the output buffer. The vunerability exists in the call to qmemcpy. The usage of qmemcpy with an abitrary size results in an out of bounds memory read vulnerability in the kernel.
TIMELINE
- 12-09-2023 - Initial notice to HTC and request for security contact.
- 23-10-2023 - First reply from HTC requesting more information.
- 24-09-2023 - Sent full vulnerability details to HTC Security Team.
- 15-12-2023 - HTC released a patch for the vulnerability.
- 15-01-2024 - Planned public release of our blog post.
REFERENCE
VIVE’s Business Streaming software: https://business.vive.com/eu/solutions/streaming/
CREDIT
Discovered by Tijme Gommers, Jan-Jaap Korpershoek and Alex Oudenaarden of Northwave Cyber Security