Resource exhaustion in go (Alpine package)

1) Resource exhaustion

EUVDB-ID: #VU17245

Risk: Low

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-6486

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition.

The vulnerability exists in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves due to insufficient validation of user-supplied input. A remote attacker can submit specially crafted inputs via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures, consume excessive amounts of CPU and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

go (Alpine package): 1.10.7-r0 - 1.11.4-r0

CPE2.3

• cpe:2.3:o:alpine:go_alpine_package:1.10.7-r0:*:*:*:*:alpine_linux:*:3.7
• cpe:2.3:o:alpine:go_alpine_package:1.10.8-r0:*:*:*:*:alpine_linux:*:3.7
• cpe:2.3:o:alpine:go_alpine_package:1.11-r0:*:*:*:*:alpine_linux:*:3.8

External links

https://git.alpinelinux.org/aports/commit/?id=573b7537c7e1ab2732007a1d026a913613ca2d03
https://git.alpinelinux.org/aports/commit/?id=17caf1ca31bcf51f92d7f466d287824869ec3f25
https://git.alpinelinux.org/aports/commit/?id=27f348ba847da969ec1809cfd6d4f76455fc5405
https://git.alpinelinux.org/aports/commit/?id=f4894bf9bd05edccdac484db35c4d6fb06a3b26c
https://git.alpinelinux.org/aports/commit/?id=6aedd89e4a16f89a2e01bf4d33ebba35c27f433f
https://git.alpinelinux.org/aports/commit/?id=d37614ce585d5dcfa9ef4b641992dfc998b6574c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.