Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:905177
HistoryOct 26, 2005 - 12:00 a.m.

Skype vulnerable to heap-based buffer overflow

2005-10-2600:00:00
www.kb.cert.org
19

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.056 Low

EPSS

Percentile

93.2%

JSON

Overview

A heap-based buffer overflow in Skype may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

Description

Skype software provides telephone service over IP networks. Skype contains a buffer overflow in a routine that parses incoming network traffic. The issue exists because Skype relies on user-controlled data to determine the size of buffers used to handle incoming packets. This may allow a remote attacker to manipulate memory allocation routines to create an under-sized buffer. When data is copied to this buffer, a heap-based buffer overflow may occur.

For more information, please refer to Skype Security Bulletin SKYPE-SB/2005-003.

Impact

A remote attacker may be able to overwrite heap memory causing the Skype process to crash or cause unpredictable behavior. In addition, public reports claim this vulnerability can be used to execute arbitrary code.

Solution

Upgrade Skype
Please see Skype Security Bulletin SKYPE-SB/2005-003 for a list of fixed Skype versions.

Vendor Information

905177

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Skype Technologies __ Affected

Updated: October 26, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see <http://www.skype.com/security/skype-sb-2005-03.html&gt;.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23905177 Feedback>).

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by SKY-CERT. Skype credits EADS Corporate Research Center security lab with providing information regarding this vulnerability.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2005-3267
Severity Metric: 20.88 Date Public:

Related

cve 1
openvas 2
nessus 3
freebsd 1
cve
cve
CVE-2005-3267
2005-10-27 10:02:00
openvas
openvas
FreeBSD Ports: skype
2008-09-04 00:00:00
FreeBSD Ports: skype
2008-09-04 00:00:00
nessus
nessus
Skype < 1.4.0.84 Multiple Remote Overflows (credentialed check)
2005-10-26 00:00:00
FreeBSD : skype -- multiple buffer overflow vulnerabilities (70fc13d9-4ab4-11da-932d-00055d790c25)
2006-05-13 00:00:00
Skype < 1.4.0.84 Multiple Vulnerabilities (uncredentialed check)
2006-04-11 00:00:00
freebsd
freebsd
skype -- multiple buffer overflow vulnerabilities
2005-10-25 00:00:00

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.056 Low

EPSS

Percentile

93.2%

JSON
Related for VU:905177
cve1openvas2nessus3freebsd1