Resource exhaustion in libtasn1 (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-6003 |
| CWE-ID | CWE-400 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
libtasn1 (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Resource exhaustion
EUVDB-ID: #VU10323
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-6003
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1. A remote attacker can trigger unlimited recursion in the BER decoder and stack exhaustion to cause the service to crash.
Install update from vendor's website.
Vulnerable software versionslibtasn1 (Alpine package): 4.8-r2
CPE2.3 External linkshttp://git.alpinelinux.org/aports/commit/?id=69f938f4250b0ba60b9ee4e57d42325791fa0cda
http://git.alpinelinux.org/aports/commit/?id=a17a05c052b39180e5e9ca9198ab8756ba0fc0aa
http://git.alpinelinux.org/aports/commit/?id=b2bb01e5559952d7c2535629e34c5a46a8c2b4ff
http://git.alpinelinux.org/aports/commit/?id=168bada46338709fc84104aad1c8331707186320
http://git.alpinelinux.org/aports/commit/?id=416c169e023504b4f4eed09a4cf1b882c8c0724f
http://git.alpinelinux.org/aports/commit/?id=b844828751639ed6678a815bc7b40b9508ee8e0b
http://git.alpinelinux.org/aports/commit/?id=4fbd4bf8096893f9d7e8d2725463113bcfb5e1a9
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
