CVE-2024-41445: Library MDF (mdflib) v2.1 is vulnerable to a heap-based buffer overread (25-09-2024)

Preface: What is an MF4/MDF4 file? Measurement Data Format version 4 (MDF 4) is a standard file format by ASAM used by the automotive industry for storing measurement data in binary file format. It records CAN, CAN FD, LIN bus data, sensor data from an engine control unit (ECU), offering interoperability across many CAN tools.

Background: MF4 (aka MDF or Measurement Data Format) is a popular CAN bus log file format. It was designed for use in the automotive industry, primarily for the areas of ECU development, Calibration and testing.

What is ECU development? The development of an ECU involves both hardware and software required to perform the functions expected from that particular module. Automotive ECU’s are being developed following the V-model.

Can I use the MDF-LIB freely? Yes, the lib was created to encourage all software developers to use the MDF4 format.

Vulnerability details: Library MDF (mdflib) v2.1 is vulnerable to a heap-based buffer overread via a crafted mdf4 file is parsed using the ReadData function.

Official announcement: Please refer to the vendor announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-41445

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.