CVE-2019-6250 - OpenCVE

A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Zeromq	Libzmq

Configuration 1 [-]

OR	cpe:2.3:a:zeromq:libzmq::::::::
	cpe:2.3:a:zeromq:libzmq::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/zeromq/libzmq/issues/3351	Exploit Patch Third Party Advisory
https://github.com/zeromq/libzmq/releases/tag/v4.3.1	Third Party Advisory
https://security.gentoo.org/glsa/201903-22	Third Party Advisory
https://www.debian.org/security/2019/dsa-4368	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-01-13T15:00:00

Updated: 2019-03-28T04:06:12

Reserved: 2019-01-13T00:00:00

Link: CVE-2019-6250

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-01-13T15:29:00.547

Modified: 2019-04-03T13:38:58.310

Link: CVE-2019-6250

JSON object: View

Redhat Information

No data.

CWE

CWE-190

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-01-13T00:00:00", "descriptions": [{"lang": "en", "value": "A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-03-28T04:06:12", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "DSA-4368", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4368"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zeromq/libzmq/issues/3351"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zeromq/libzmq/releases/tag/v4.3.1"}, {"name": "GLSA-201903-22", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201903-22"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-6250", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-4368", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4368"}, {"name": "https://github.com/zeromq/libzmq/issues/3351", "refsource": "CONFIRM", "url": "https://github.com/zeromq/libzmq/issues/3351"}, {"name": "https://github.com/zeromq/libzmq/releases/tag/v4.3.1", "refsource": "CONFIRM", "url": "https://github.com/zeromq/libzmq/releases/tag/v4.3.1"}, {"name": "GLSA-201903-22", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201903-22"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-6250", "datePublished": "2019-01-13T15:00:00", "dateReserved": "2019-01-13T00:00:00", "dateUpdated": "2019-03-28T04:06:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zeromq:libzmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "79DFA925-B69B-4DFB-B33F-8B8AC4A692E3", "versionEndIncluding": "4.2.5", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zeromq:libzmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E33C064-59C2-4751-B3F2-3425B18D1CA4", "versionEndExcluding": "4.3.1", "versionStartIncluding": "4.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control)."}, {"lang": "es", "value": "Se ha descubierto un desbordamiento de punteros con ejecuci\u00f3n de c\u00f3digo en ZeroMQ libzmq (tambi\u00e9n conocido como 0MQ), en versiones 4.2.x y 4.3.x anteriores a la 4.3.1. Un desbordamiento de enteros en zmq::v2_decoder_t::size_ready, en v2_decoder.cpp, permite que un atacante autenticado sobrescriba una cantidad arbitraria de bytes m\u00e1s all\u00e1 de los l\u00edmites de un b\u00fafer, lo que puede ser aprovechado para ejecutar c\u00f3digo arbitrario en el sistema objetivo. La distribuci\u00f3n de la memoria permite que el atacante inyecte comandos del sistema operativo en una estructura de datos ubicada inmediatamente tras el b\u00fafer problem\u00e1tico (esto es, no es necesario emplear una t\u00e9cnica t\u00edpica de explotaci\u00f3n de desbordamiento de b\u00fafer que cambie el flujo de control)."}], "id": "CVE-2019-6250", "lastModified": "2019-04-03T13:38:58.310", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-13T15:29:00.547", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/zeromq/libzmq/issues/3351"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/zeromq/libzmq/releases/tag/v4.3.1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201903-22"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2019/dsa-4368"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}