How the NAME:WRECK Bugs Impact Consumers, Businesses
2021-04-13T21:03:41
ID THREATPOST:55D5F412C1BC622A738FB3429695E9B1 Type threatpost Reporter Tom Spring Modified 2021-04-13T21:03:41
Description
Researchers estimate more than 100 million internet-connected devices are vulnerable to a class of flaws dubbed NAME:WRECK.
Devices ranging from smartphones, aircraft navigation systems and industrial internet of things (IIoT) endpoints are vulnerable to either a denial-of-service (DoS) or remote code-execution (RCE) attack, according to a joint report by Forescout Research Labs and JSOF Research Labs. Patches are available for some affected vendors.
Nine vulnerabilities were identified within the implementation of the Domain Name System (DNS) protocol used by TCP/IP network communication stacks. These two technologies are used in tandem to uniquely identifying devices connected to the internet and facilitate digital communications between them. The most serious of the flaws are rated critical in severity.
“The widespread deployment and often external exposure of vulnerable DNS clients leads to a dramatically increased attack surface,” researchers wrote in a report released Tuesday (PDF). “[W]e can estimate that at least 100 million devices are impacted by NAME:WRECK.”
Breaking Down the NAME:WRECK Bugs
Under the auspices of the research collective known as Project Memoria, NAME:WRECK is the fifth set of vulnerabilities impacting TCP/IP libraries that have been disclosed over the past three years. Those that have come before are URGENT/11, Ripple20, Amnesia:33 and NUMBER:JACK (also discovered by Project Memoria and Forescout).
Forescout and JSOF researchers divide the nine NAME:WRECK vulnerabilities into four subcategories of devices dependent on the DNS and TCP/IP stacks (or firmware) used inside them. The categories include the FreeBSD, IPnet, Nucleus NET and NetX – each common in IoT and operational technology (OT) systems.
Researchers said the origin of the name NAME:WRECK is based on “how the parsing of domain names can break – ‘wreck’ – DNS implementations in TCP/IP stacks, leading to denial of service or remote code-execution.”
NAME:WRECK is similar to previous TCP/IP-DNS bugs that illustrate the complexity of the DNS protocol “that tends to yield vulnerable implementations,” where bugs can often be leveraged by external attackers to take control of millions of devices simultaneously, researchers said.
Unpacking a DNS Compression Bug
One of the class of NAME:WRECK bugs are identified as DNS compression issues, impacting a wide range of devices that compress data used to communicate over the internet using TCP/IP.
“With the first vulnerability, CVE-2020-27009, the attacker can craft a DNS response packet with a combination of invalid compression pointer offsets that allows them to write arbitrary data into sensitive parts of a device’s memory, where they will then inject the code,” researchers wrote.
“The second vulnerability, CVE2020-15795, allows the attacker to craft meaningful code to be injected by abusing very large domain name records in the malicious packet. Finally, to deliver the malicious packet to the target, the attacker can bypass DNS query-response matching using CVE-2021-25667,” they wrote.
The technical specifics are complicated, but boil down to how a domain name (like Google.com) is encoded within the TCP/IP stack as a sequence of labels “terminated by the NULL byte (0x00).” This process of encoding and compressing domain names is meant to reduce the size of the DNS messages. However, hackers could exploit vulnerabilities within the TCP/IP stack to force the unpacking of compressed domain names in a malicious manner, opening the devices running the TCP/IP stack to come under attack.
“By carefully choosing a combination of invalid compression offsets placed in a DNS packet, attackers can perform controlled out-of-bounds writes into the destination buffer ‘dst,’ potentially achieving remote code-execution,” researchers wrote.
As for the attack vector, researchers said, “The easiest way to construct a payload that will overflow name and overwrite heap metadata is to chain multiple domain labels.”
Researchers also identified other types of NAME:WRECK flaws, such as domain name label-parsing bugs, message-compression vulnerabilities and a VDomain name label-parsing bugs.
The Nine NAME:WRECK Bugs
The following are the vulnerability CVE tracking numbers and the type of TCP/IP stacks impacted:
CVE-2020-7461: A message compression bug impacting devices running FreeBSD and can lead to RCE (CVSS severity rating 7.7);
CVE-2016-20009: A message compression bug impacting devices running IPnet and can lead to RCE (CVSS severity rating 9.8);
CVE-2020-15795: A domain name label-parsing bug impacting devices running Nucleus NET and can lead to RCE (CVSS severity rating 8.1);
CVE-2020-27009: A message-compression bug impacting devices running Nucleus NET and can lead to RCE (CVSS severity rating 8.1);
CVE-2020-27736: A VDomain name label-parsing bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);
CVE-2020-27737: A VDomain name label-parsing bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);
CVE-2020-27738: A message-compression bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);
CVE-2021-25677: A transaction-ID bug impacting devices running Nucleus NET and can lead to DNS cache-poisoning attacks (CVSS severity rating 5.3);
And one CVE-unassigned: A message-compression bug impacting devices running NetX and can lead to DNS cache- poisoning attacks (CVSS severity rating 6.5).
How Can Users Mitigate NAME:WRECK Bugs?
Researchers are recommending that users and IT security staff discover and inventory devices running the vulnerable stacks. Forescout is making available an open-source script to fingerprint impacted devices.
Researchers also recommended the implementation of device and network-segmentation controls and restricting external communication to vulnerable devices until they are patched or removed from the network; and of course, users should patch devices as fixes become available.
Beyond that, users should configure vulnerable devices to run on internal DNS servers, and monitor network traffic for malicious packets attempting to exploit NAME:WRECK vulnerabilities or any bug affecting DNS, mDNS and DHCP clients.
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a ***FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event. *
{"id": "THREATPOST:55D5F412C1BC622A738FB3429695E9B1", "type": "threatpost", "bulletinFamily": "info", "title": "How the NAME:WRECK Bugs Impact Consumers, Businesses", "description": "Researchers estimate more than 100 million internet-connected devices are vulnerable to a class of flaws dubbed NAME:WRECK.\n\nDevices ranging from smartphones, aircraft navigation systems and industrial internet of things (IIoT) endpoints are vulnerable to either a denial-of-service (DoS) or remote code-execution (RCE) attack, according to a joint report by Forescout Research Labs and JSOF Research Labs. Patches are available for some affected vendors.\n\nNine vulnerabilities were identified within the implementation of the Domain Name System (DNS) protocol used by TCP/IP network communication stacks. These two technologies are used in tandem to uniquely identifying devices connected to the internet and facilitate digital communications between them. The most serious of the flaws are rated critical in severity. \n[](<https://threatpost.com/newsletter-sign/>) \n\u201cThe widespread deployment and often external exposure of vulnerable DNS clients leads to a dramatically increased attack surface,\u201d researchers wrote in a [report released Tuesday](<https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/>) (PDF). \u201c[W]e can estimate that at least 100 million devices are impacted by NAME:WRECK.\u201d\n\n## **Breaking Down the NAME:WRECK Bugs**\n\nUnder the auspices of the research collective known as Project Memoria, NAME:WRECK is the fifth set of vulnerabilities impacting TCP/IP libraries that have been disclosed over the past three years. Those that have come before are [URGENT/11](<https://threatpost.com/urgent-11-critical-infrastructure-eternalblue/146731/>), [Ripple20](<https://threatpost.com/millions-connected-devices-ripple20-bugs/156599/>), [Amnesia:33](<https://threatpost.com/amnesia33-tcp-ip-flaws-iot-devices/161928/>) and NUMBER:JACK (also discovered by Project Memoria and Forescout).\n\nForescout and JSOF researchers divide the nine NAME:WRECK vulnerabilities into four subcategories of devices dependent on the DNS and TCP/IP stacks (or firmware) used inside them. The categories include the FreeBSD, IPnet, Nucleus NET and NetX \u2013 each common in IoT and operational technology (OT) systems.\n\nResearchers said the origin of the name NAME:WRECK is based on \u201chow the parsing of domain names can break \u2013 \u2018wreck\u2019 \u2013 DNS implementations in TCP/IP stacks, leading to denial of service or remote code-execution.\u201d\n\nNAME:WRECK is similar to previous TCP/IP-DNS bugs that illustrate the complexity of the DNS protocol \u201cthat tends to yield vulnerable implementations,\u201d where bugs can often be leveraged by external attackers to take control of millions of devices simultaneously, researchers said.\n\n## **Unpacking a DNS Compression Bug**\n\nOne of the class of NAME:WRECK bugs are identified as DNS compression issues, impacting a wide range of devices that compress data used to communicate over the internet using TCP/IP.\n\n\u201cWith the first vulnerability, CVE-2020-27009, the attacker can craft a DNS response packet with a combination of invalid compression pointer offsets that allows them to write arbitrary data into sensitive parts of a device\u2019s memory, where they will then inject the code,\u201d researchers wrote.\n\n\u201cThe second vulnerability, CVE2020-15795, allows the attacker to craft meaningful code to be injected by abusing very large domain name records in the malicious packet. Finally, to deliver the malicious packet to the target, the attacker can bypass DNS query-response matching using CVE-2021-25667,\u201d they wrote.\n\nThe technical specifics are complicated, but boil down to how a domain name (like Google.com) is encoded within the TCP/IP stack as a sequence of labels \u201cterminated by the NULL byte (0x00).\u201d This process of encoding and compressing domain names is meant to reduce the size of the DNS messages. However, hackers could exploit vulnerabilities within the TCP/IP stack to force the unpacking of compressed domain names in a malicious manner, opening the devices running the TCP/IP stack to come under attack.\n\n\u201cBy carefully choosing a combination of invalid compression offsets placed in a DNS packet, attackers can perform controlled out-of-bounds writes into the destination buffer \u2018dst,\u2019 potentially achieving remote code-execution,\u201d researchers wrote.\n\nAs for the attack vector, researchers said, \u201cThe easiest way to construct a payload that will overflow name and overwrite heap metadata is to chain multiple domain labels.\u201d\n\nResearchers also identified other types of NAME:WRECK flaws, such as domain name label-parsing bugs, message-compression vulnerabilities and a VDomain name label-parsing bugs.\n\n## **The Nine NAME:WRECK Bugs**\n\nThe following are the vulnerability CVE tracking numbers and the type of TCP/IP stacks impacted:\n\n * CVE-2020-7461: A message compression bug impacting devices running FreeBSD and can lead to RCE (CVSS severity rating 7.7);\n * CVE-2016-20009: A message compression bug impacting devices running IPnet and can lead to RCE (CVSS severity rating 9.8);\n * CVE-2020-15795: A domain name label-parsing bug impacting devices running Nucleus NET and can lead to RCE (CVSS severity rating 8.1);\n * CVE-2020-27009: A message-compression bug impacting devices running Nucleus NET and can lead to RCE (CVSS severity rating 8.1);\n * CVE-2020-27736: A VDomain name label-parsing bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);\n * CVE-2020-27737: A VDomain name label-parsing bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);\n * CVE-2020-27738: A message-compression bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);\n * CVE-2021-25677: A transaction-ID bug impacting devices running Nucleus NET and can lead to DNS cache-poisoning attacks (CVSS severity rating 5.3);\n * And one CVE-unassigned: A message-compression bug impacting devices running NetX and can lead to DNS cache- poisoning attacks (CVSS severity rating 6.5).\n\n## **How Can Users Mitigate NAME:WRECK Bugs? **\n\nResearchers are recommending that users and IT security staff discover and inventory devices running the vulnerable stacks. Forescout is making available an open-source script to fingerprint impacted devices.\n\nResearchers also recommended the implementation of device and network-segmentation controls and restricting external communication to vulnerable devices until they are patched or removed from the network; and of course, users should patch devices as fixes become available.\n\nBeyond that, users should configure vulnerable devices to run on internal DNS servers, and monitor network traffic for malicious packets attempting to exploit NAME:WRECK vulnerabilities or any bug affecting DNS, mDNS and DHCP clients.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n", "published": "2021-04-13T21:03:41", "modified": "2021-04-13T21:03:41", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://threatpost.com/namewreck-bugs-businesses/165385/", "reporter": "Tom Spring", "references": ["https://threatpost.com/newsletter-sign/", "https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/", "https://threatpost.com/urgent-11-critical-infrastructure-eternalblue/146731/", "https://threatpost.com/millions-connected-devices-ripple20-bugs/156599/", "https://threatpost.com/amnesia33-tcp-ip-flaws-iot-devices/161928/", "https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar", "https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar"], "cvelist": ["CVE-2016-20009", "CVE-2020-15795", "CVE-2020-27009", "CVE-2020-27736", "CVE-2020-27737", "CVE-2020-27738", "CVE-2020-7461", "CVE-2021-25667", "CVE-2021-25677"], "immutableFields": [], "lastseen": "2021-04-13T21:52:45", "viewCount": 242, "enchantments": {"dependencies": {"references": [{"type": "ics", "idList": ["ICSA-21-103-04", "ICSA-21-103-13", "ICSA-21-068-03"]}, {"type": "cve", "idList": ["CVE-2021-25667", "CVE-2016-20009", "CVE-2020-27737", "CVE-2020-27009", "CVE-2020-7461", "CVE-2020-27738", "CVE-2020-15795", "CVE-2020-27736", "CVE-2021-25677"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_762B7D4AEC1911EA88F8901B0EF719AB.NASL"]}, {"type": "freebsd", "idList": ["762B7D4A-EC19-11EA-88F8-901B0EF719AB"]}, {"type": "threatpost", "idList": ["THREATPOST:042C17DFFA5D83F8091BA8DFCBFA8A8A", "THREATPOST:E8761681B3C50F33383D6538F6AA77E6", "THREATPOST:659B01C0432DD93535B729D005CCA9E8"]}], "modified": "2021-04-13T21:52:45", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2021-04-13T21:52:45", "rev": 2}, "vulnersScore": 5.1}}
{"ics": [{"lastseen": "2021-05-01T09:46:51", "bulletinFamily": "info", "cvelist": ["CVE-2020-27736", "CVE-2020-27737", "CVE-2020-27738", "CVE-2021-25677"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 6.5**\n * **ATTENTION: **Exploitable remotely/low attack complexity\n * **Vendor:** Siemens\n * **Equipment: **SIMOTICS CONNECT 400\n * **Vulnerabilities:** Improper Null Termination, Out-of-bounds Read, Access of Memory Location After End of Buffer, Use of Insufficiently Random Values\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to poison the DNS cache or spoof DNS resolving.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following products and versions are affected: \n\u2022 SIMOTICS CONNECT 400, All versions prior to v0.5.0.0 \n\u2022 SIMOTICS CONNECT 400, v0.5.0.0 and later only affected by [CVE-2021-25677](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25677>)\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [IMPROPER NULL TERMINATION CWE-170](<https://cwe.mitre.org/data/definitions/170.html>)\n\nThe DNS domain name label parsing functionality does not properly validate the null-terminated name in DNS-responses. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition or leak the read memory.\n\n[CVE-2020-27736](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27736>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H>)).\n\n#### 3.2.2 [OUT-OF-BOUNDS READ CWE-125](<https://cwe.mitre.org/data/definitions/125.html>)\n\nThe DNS response parsing functionality does not properly validate various length and counts of the records. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition or leak the memory past the allocated structure.\n\n[CVE-2020-27737](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27737>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H>)).\n\n#### 3.2.3 [ACCESS OF MEMORY LOCATION AFTER END OF BUFFER CWE-788](<https://cwe.mitre.org/data/definitions/788.html>)\n\nThe DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a read access past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition.\n\n[CVE-2020-27738](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27738>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H>)).\n\n#### 3.2.4 [ACCESS OF MEMORY LOCATION AFTER END OF BUFFER CWE-788](<https://cwe.mitre.org/data/definitions/788.html>)\n\nThe DNS client does not properly randomize DNS transaction IDs. This could allow an attacker to poison the DNS cache or spoof DNS resolving. \n[CVE-2021-25677](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25677>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Energy\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Germany\n\n### 3.4 RESEARCHER\n\nSiemens reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nSiemens has identified the following specific workarounds and mitigations users can apply to reduce risk:\n\n * [Update to v0.5.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109778383/>)\n * For versions prior to v0.5.0.0, Siemens recommends users follow general security recommendations in Siemens Security Advisory [SSA-669158](<https://cert-portal.siemens.com/productcert/pdf/ssa-669158.pdf>)\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to [Siemens operational guidelines for Industrial Security](<https://www.siemens.com/cert/operational-guidelines-industrial-security>), and following the recommendations in the product manuals.\n\nFor further inquiries on security vulnerabilities in Siemens\u2019 products and solutions, please contact [Siemens ProductCERT](<https://www.siemens.com/cert/advisories>).\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-103-13>); we'd welcome your feedback.\n", "modified": "2021-04-13T00:00:00", "published": "2021-04-13T00:00:00", "id": "ICSA-21-103-13", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-103-13", "type": "ics", "title": "Siemens SIMOTICS CONNECT 400", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2021-05-01T09:46:47", "bulletinFamily": "info", "cvelist": ["CVE-2020-15795", "CVE-2020-27009"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 8.1**\n * **ATTENTION:** Exploitable remotely/low attack complexity\n * **Vendor:** Siemens\n * **Equipment: **Nucleus NET, Nucleus RTOS, Nucleus Source Code, VSTAR\n * **Vulnerabilities:** Out-of-bounds Write, Use of Out-of-Range Pointer Offset\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow a denial-of-service condition or for the execution of code remotely.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following Nucleus products are affected:\n\n * Nucleus NET: All versions prior to v5.2\n * Nucleus RTOS: Versions including affected DNS modules\n * Nucleus Source Code: Versions including affected DNS modules\n * VSTAR: Versions including affected DNS modules\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [OUT-OF-BOUNDS WRITE CWE-787](<https://cwe.mitre.org/data/definitions/787.html>)\n\nThe DNS domain name label parsing functionality does not properly validate the names in DNS-responses. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition.\n\n[CVE-2020-15795](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15795>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)). \n\n\n#### 3.2.2 [USE OF OUT-OF-RANGE POINTER OFFSET CWE-823](<https://cwe.mitre.org/data/definitions/823.html>)\n\nThe DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition.\n\n[CVE-2020-27009](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27009>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Multiple Sectors\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Germany\n\n### 3.4 RESEARCHER\n\nDaniel dos Santos, from Forescout Technologies, and Siemens reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nSiemens has published security advisory [SSA-185699](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>) and released the following mitigations for the affected products:\n\n * Nucleus NET: Follow general security measures or upgrade to the latest versions of Nucleus ReadyStart or Nucleus 4. Note the latest version of Nucleus NET (v5.2) is not affected by the vulnerabilities but is already beyond end of software support.\n * Nucleus RTOS: Contact [customer support](<https://support.sw.siemens.com/en-US/signin>) to receive patch and update information.\n * Nucleus Source Code: Contact [customer support](<https://support.sw.siemens.com/en-US/signin>) to receive patch and update information.\n * VSTAR: Contact [customer support](<https://support.sw.siemens.com/en-US/signin>) to receive patch and update information.\n\nSiemens has identified the following specific workarounds and mitigations users can apply to reduce risk:\n\n * Avoid using DNS client of affected versions.\n * For additional mitigation advice contact Siemens customer support or a Nucleus Sales team.\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u2019 [Operational Guidelines for Industrial Security](<https://www.siemens.com/cert/operational-guidelines-industrial-security>), and to follow the recommendations in the product manuals.\n\nAdditional information on industrial security by Siemens can be found at: [https://www.siemens.com/industrialsecurity ](<https://www.siemens.com/industrialsecurity>)\n\nFor further inquiries on security vulnerabilities in Siemens\u2019 products and solutions, contact [Siemens ProductCERT](<https://www.siemens.com/cert/advisories>).\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-103-04>); we'd welcome your feedback.\n", "modified": "2021-04-13T00:00:00", "published": "2021-04-13T00:00:00", "id": "ICSA-21-103-04", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-103-04", "type": "ics", "title": "Siemens Nucleus Products DNS Module", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-13T17:52:18", "bulletinFamily": "info", "cvelist": ["CVE-2021-25667"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 8.8**\n * **ATTENTION: **Exploitable remotely/low attack complexity\n * **Vendor: **Siemens\n * **Equipment: **SCALANCE and RUGGEDCOM Devices\n * **Vulnerability: **Stack-based Buffer Overflow\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-21-068-03 Siemens SCALANCE and RUGGEDCOM Devices that was published March 9, 2021, to the ICS webpage on us-cert.cisa.gov.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could allow an attacker to cause a reboot. Under specific circumstances, an attacker could also achieve remote code execution of the affected devices.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following Siemens products are affected:\n\n**\\--------- Begin Update A Part 1 of 2 --------**\n\n * RUGGEDCOM RM1224: All versions from v4.3 and prior to v4.6\n * SCALANCE M-800: All versions from v4.3 and prior to v4.6\n * SCALANCE S615: All versions from v4.3 and prior to v4.6\n * SCALANCE XR-300WG: All versions prior to v4.1\n * SCALANCE XB-200: All versions prior to v4.1\n * SCALANCE XC-200: All versions prior to v4.1\n * SCALANCE XF-200BA: All versions prior to v4.1\n * SCALANCE XP-200: All versions prior to v4.1\n\n**\\--------- End Update A Part 1 of 2 --------**\n\n * SCALANCE SC-600 Family: All versions from v2.0 and prior to v2.1.3\n * SCALANCE XM400: All versions prior to v6.2\n * SCALANCE XR500: All versions prior to v6.2\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [STACK-BASED BUFFER OVERFLOW CWE-121](<https://cwe.mitre.org/data/definitions/121.html>)\n\nAffected devices contain a stack-based buffer overflow vulnerability in the handling of Spanning Tree Protocol (STP) Bridge Protocol Data Unit (BPDU) frames that could allow a remote attacker to trigger a denial-of-service condition or potential remote code execution. Successful exploitation requires the passive listening feature of the device to be active.\n\n[CVE-2021-25667](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25667>) has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Multiple Sectors\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Germany\n\n### 4.4 RESEARCHER\n\nSiemens reported this vulnerability to CISA.\n\n## 5\\. MITIGATIONS\n\nSiemens recommends applying updates where applicable:\n\n * SCALANCE SC-600 Family: [Update to v2.1.3](<https://support.industry.siemens.com/cs/ww/en/109793041>) or later\n * SCALANCE X300WG: [Update to v4.1](<https://support.industry.siemens.com/cs/ww/en/109773547>) or later\n * SCALANCE XM400: [Update to v6.2](<https://support.industry.siemens.com/cs/ww/en/109764409>) or later\n * SCALANCE XR500: [Update to v6.2](<https://support.industry.siemens.com/cs/ww/en/109761425>) or later\n\n**\\--------- Begin Update A Part 2 of 2 --------**\n\n * SCALANCE XB-200: [Update to v4.1 ](<https://support.industry.siemens.com/cs/ww/en/109773547>)or later\n * SCALANCE XC-200: [Update to v4.1](<https://support.industry.siemens.com/cs/ww/en/109773547>) or later\n * SCALANCE XF-200BA: [Update to v4.1](<https://support.industry.siemens.com/cs/ww/en/109773547>) or later\n * SCALANCE XP-200: [Update to v4.1](<https://support.industry.siemens.com/cs/ww/en/109773547>) or later\n * RUGGEDCOM RM1224: [Update to v6.4](<https://support.industry.siemens.com/cs/ww/en/109794349/>) or later\n * SCALANCE M-800: [Update to v6.4](<https://support.industry.siemens.com/cs/ww/en/109794349/>) or later\n * SCALANCE S615: [Update to v6.4](<https://support.industry.siemens.com/cs/ww/en/109794349/>) or later\n\n**\\--------- End Update A Part 2 of 2 --------**\n\nSiemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:\n\n * Deactivate the STP passive listening feature of the vulnerable devices.\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to [Siemens operational guidelines for Industrial Security](<https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf>) and following the recommendations in the product manuals.\n\nFor additional information, please refer to Siemens Security Advisory [SSA-979775](<https://cert-portal.siemens.com/productcert/pdf/ssa-979775.pdf>)\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-068-03>); we'd welcome your feedback.\n", "modified": "2021-04-13T00:00:00", "published": "2021-04-13T00:00:00", "id": "ICSA-21-068-03", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-068-03", "type": "ics", "title": "Siemens SCALANCE and RUGGEDCOM Devices (Update A)", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-04-28T11:49:16", "description": "A vulnerability has been identified in RUGGEDCOM RM1224 (All versions >= V4.3 and < V6.4), SCALANCE M-800 (All versions >= V4.3 and < V6.4), SCALANCE S615 (All versions >= V4.3 and < V6.4), SCALANCE SC-600 Family (All versions >= V2.0 and < V2.1.3), SCALANCE XB-200 (All versions < V4.1), SCALANCE XC-200 (All versions < V4.1), SCALANCE XF-200BA (All versions < V4.1), SCALANCE XM400 (All versions < V6.2), SCALANCE XP-200 (All versions < V4.1), SCALANCE XR-300WG (All versions < V4.1), SCALANCE XR500 (All versions < V6.2). Affected devices contain a stack-based buffer overflow vulnerability in the handling of STP BPDU frames that could allow a remote attacker to trigger a denial-of-service condition or potentially remote code execution. Successful exploitation requires the passive listening feature of the device to be active.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-15T17:15:00", "title": "CVE-2021-25667", "type": "cve", "cwe": ["CWE-121"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25667"], "modified": "2021-04-22T21:15:00", "cpe": ["cpe:/o:siemens:scalance_sc636-2c_firmware:2.0", "cpe:/o:siemens:scalance_sc642-2c_firmware:2.0", "cpe:/o:siemens:scalance_sc632-2c_firmware:2.0", "cpe:/o:siemens:scalance_sc646-2c_firmware:2.0", "cpe:/o:siemens:scalance_sc622-2c_firmware:2.0"], "id": "CVE-2021-25667", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25667", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siemens:scalance_sc646-2c_firmware:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:scalance_sc636-2c_firmware:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:scalance_sc632-2c_firmware:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:scalance_sc622-2c_firmware:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:scalance_sc642-2c_firmware:2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-05-01T09:49:22", "description": "A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0), Nucleus NET (All versions), Nucleus RTOS (versions including affected DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus Source Code (versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All versions >= V0.5.0.0), VSTAR (versions including affected DNS modules). The DNS client does not properly randomize DNS transaction IDs. That could allow an attacker to poison the DNS cache or spoof DNS resolving.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-04-22T21:15:00", "title": "CVE-2021-25677", "type": "cve", "cwe": ["CWE-330"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25677"], "modified": "2021-04-30T13:42:00", "cpe": ["cpe:/a:siemens:vstar:-", "cpe:/o:siemens:nucleus_rtos:-", "cpe:/o:siemens:simotics_connect_400_firmware:*", "cpe:/a:siemens:nucleus_source_code:-", "cpe:/a:siemens:nucleus_net:*", "cpe:/a:siemens:nucleus_readystart:2017.02.3"], "id": "CVE-2021-25677", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25677", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:siemens:nucleus_rtos:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_net:*:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:simotics_connect_400_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_source_code:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:vstar:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_readystart:2017.02.3:*:*:*:*:*:*:*"]}, {"lastseen": "2021-05-01T09:39:35", "description": "A vulnerability has been identified in Nucleus NET (All versions < V5.2), Nucleus RTOS (versions including affected DNS modules), Nucleus Source Code (versions including affected DNS modules), VSTAR (versions including affected DNS modules). The DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition.", "edition": 3, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-22T21:15:00", "title": "CVE-2020-27009", "type": "cve", "cwe": ["CWE-823"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27009"], "modified": "2021-04-30T17:16:00", "cpe": ["cpe:/a:siemens:vstar:-", "cpe:/o:siemens:nucleus_rtos:-", "cpe:/a:siemens:nucleus_source_code:-"], "id": "CVE-2020-27009", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27009", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siemens:nucleus_rtos:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_source_code:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:vstar:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-05-01T09:39:35", "description": "A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0), Nucleus NET (All versions), Nucleus RTOS (versions including affected DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus Source Code (versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), VSTAR (versions including affected DNS modules). The DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a read access past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2021-04-22T21:15:00", "title": "CVE-2020-27738", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27738"], "modified": "2021-04-30T13:35:00", "cpe": ["cpe:/a:siemens:vstar:-", "cpe:/o:siemens:nucleus_rtos:-", "cpe:/a:siemens:nucleus_source_code:-", "cpe:/a:siemens:nucleus_net:*"], "id": "CVE-2020-27738", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27738", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:o:siemens:nucleus_rtos:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_net:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_source_code:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:vstar:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-05-01T09:39:35", "description": "A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0), Nucleus NET (All versions), Nucleus RTOS (versions including affected DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus Source Code (versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), VSTAR (versions including affected DNS modules). The DNS domain name label parsing functionality does not properly validate the null-terminated name in DNS-responses. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition or leak the read memory.", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 4.2}, "published": "2021-04-22T21:15:00", "title": "CVE-2020-27736", "type": "cve", "cwe": ["CWE-170"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27736"], "modified": "2021-04-30T14:45:00", "cpe": ["cpe:/a:siemens:vstar:-", "cpe:/o:siemens:nucleus_rtos:-", "cpe:/a:siemens:nucleus_source_code:-", "cpe:/a:siemens:nucleus_net:*"], "id": "CVE-2020-27736", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27736", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:o:siemens:nucleus_rtos:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_net:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_source_code:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:vstar:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-22T23:58:47", "description": "** UNSUPPORTED WHEN ASSIGNED ** A DNS client stack-based buffer overflow in ipdnsc_decode_name() affects Wind River VxWorks 6.5 through 7. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-11T22:15:00", "title": "CVE-2016-20009", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-20009"], "modified": "2021-03-19T18:47:00", "cpe": ["cpe:/o:windriver:vxworks:7.0"], "id": "CVE-2016-20009", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-20009", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:windriver:vxworks:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-05-01T09:39:35", "description": "A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0), Nucleus NET (All versions), Nucleus RTOS (versions including affected DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus Source Code (versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), VSTAR (versions including affected DNS modules). The DNS response parsing functionality does not properly validate various length and counts of the records. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition or leak the memory past the allocated structure.", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 4.2}, "published": "2021-04-22T21:15:00", "title": "CVE-2020-27737", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27737"], "modified": "2021-04-30T14:45:00", "cpe": ["cpe:/a:siemens:vstar:-", "cpe:/o:siemens:nucleus_rtos:-", "cpe:/a:siemens:nucleus_source_code:-", "cpe:/a:siemens:nucleus_net:*"], "id": "CVE-2020-27737", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27737", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:o:siemens:nucleus_rtos:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_net:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_source_code:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:vstar:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-05-01T09:39:24", "description": "A vulnerability has been identified in Nucleus NET (All versions < V5.2), Nucleus RTOS (versions including affected DNS modules), Nucleus Source Code (versions including affected DNS modules), VSTAR (versions including affected DNS modules). The DNS domain name label parsing functionality does not properly validate the names in DNS-responses. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition.", "edition": 3, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-22T21:15:00", "title": "CVE-2020-15795", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15795"], "modified": "2021-04-30T17:12:00", "cpe": ["cpe:/a:siemens:vstar:-", "cpe:/o:siemens:nucleus_rtos:-", "cpe:/a:siemens:nucleus_source_code:-"], "id": "CVE-2020-15795", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15795", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siemens:nucleus_rtos:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nucleus_source_code:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:vstar:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-23T01:09:50", "description": "In FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient(8) fails to handle certain malformed input related to handling of DHCP option 119 resulting a heap overflow. The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2021-03-26T21:15:00", "title": "CVE-2020-7461", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7461"], "modified": "2021-04-02T19:14:00", "cpe": ["cpe:/o:freebsd:freebsd:11.3", "cpe:/o:freebsd:freebsd:11.4", "cpe:/o:freebsd:freebsd:12.1"], "id": "CVE-2020-7461", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7461", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:freebsd:freebsd:12.1:p7:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p12:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p9:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p11:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.4:-:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:-:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p7:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p6:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.4:p1:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p8:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p5:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:-:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p2:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p5:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p3:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p6:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p2:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p10:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p3:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p1:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p1:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.4:p2:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p8:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.3:p4:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.1:p4:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-04-07T07:52:54", "description": "When parsing option 119 data, dhclient(8) computes the uncompressed\ndomain list length so that it can allocate an appropriately sized\nbuffer to store the uncompressed list. The code to compute the length\nfailed to handle certain malformed input, resulting in a heap overflow\nwhen the uncompressed list is copied into in inadequately sized\nbuffer. Impact : The heap overflow could in principle be exploited to\nachieve remote code execution. The affected process runs with reduced\nprivileges in a Capsicum sandbox, limiting the immediate impact of an\nexploit. However, it is possible the bug could be combined with other\nvulnerabilities to escape the sandbox.", "edition": 4, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2020-09-04T00:00:00", "title": "FreeBSD : FreeBSD -- dhclient heap overflow (762b7d4a-ec19-11ea-88f8-901b0ef719ab)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-7461"], "modified": "2020-09-04T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:FreeBSD"], "id": "FREEBSD_PKG_762B7D4AEC1911EA88F8901B0EF719AB.NASL", "href": "https://www.tenable.com/plugins/nessus/140236", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140236);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/06\");\n\n script_cve_id(\"CVE-2020-7461\");\n script_xref(name:\"FreeBSD\", value:\"SA-20:26.dhclient\");\n\n script_name(english:\"FreeBSD : FreeBSD -- dhclient heap overflow (762b7d4a-ec19-11ea-88f8-901b0ef719ab)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"When parsing option 119 data, dhclient(8) computes the uncompressed\ndomain list length so that it can allocate an appropriately sized\nbuffer to store the uncompressed list. The code to compute the length\nfailed to handle certain malformed input, resulting in a heap overflow\nwhen the uncompressed list is copied into in inadequately sized\nbuffer. Impact : The heap overflow could in principle be exploited to\nachieve remote code execution. The affected process runs with reduced\nprivileges in a Capsicum sandbox, limiting the immediate impact of an\nexploit. However, it is possible the bug could be combined with other\nvulnerabilities to escape the sandbox.\"\n );\n # https://vuxml.freebsd.org/freebsd/762b7d4a-ec19-11ea-88f8-901b0ef719ab.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9dfa738b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-7461\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:FreeBSD\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=12.1<12.1_9\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=11.4<11.4_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=11.3<11.3_13\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2021-04-03T13:27:07", "bulletinFamily": "unix", "cvelist": ["CVE-2020-7461"], "description": "\nProblem Description:\nWhen parsing option 119 data, dhclient(8) computes the uncompressed domain\n\tlist length so that it can allocate an appropriately sized buffer to store\n\tthe uncompressed list. The code to compute the length failed to handle\n\tcertain malformed input, resulting in a heap overflow when the uncompressed\n\tlist is copied into in inadequately sized buffer.\nImpact:\nThe heap overflow could in principle be exploited to achieve remote code\n\texecution. The affected process runs with reduced privileges in a Capsicum\n\tsandbox, limiting the immediate impact of an exploit. However, it is\n\tpossible the bug could be combined with other vulnerabilities to escape the\n\tsandbox.\n", "edition": 2, "modified": "2020-09-02T00:00:00", "published": "2020-09-02T00:00:00", "id": "762B7D4A-EC19-11EA-88F8-901B0EF719AB", "href": "https://vuxml.freebsd.org/freebsd/762b7d4a-ec19-11ea-88f8-901b0ef719ab.html", "title": "FreeBSD -- dhclient heap overflow", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
