Permissions, Privileges, and Access Controls in znc (Alpine package)

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU32011

Risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-12816

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

Modules.cpp in ZNC before 1.7.4-rc1 allows remote authenticated non-admin users to escalate privileges and execute arbitrary code by loading a module with a crafted name.

Mitigation

Install update from vendor's website.

Vulnerable software versions

znc (Alpine package): 1.7.0-r0 - 1.7.1-r3

CPE2.3

• cpe:2.3:a:alpine:znc_alpine_package:1.7.0-r0:*:*:*:*:alpine_linux:*:3.7
• cpe:2.3:a:alpine:znc_alpine_package:1.7.1-r0:*:*:*:*:alpine_linux:*:3.5
• cpe:2.3:a:alpine:znc_alpine_package:1.7.1-r1:*:*:*:*:alpine_linux:*:3.7

External links

https://git.alpinelinux.org/aports/commit/?id=cdfce01d9c38dda01d4e3ca9dd6d267dfa7921b6
https://git.alpinelinux.org/aports/commit/?id=77bef56d80b9c2748cacb4d249cb8af4854a1b03
https://git.alpinelinux.org/aports/commit/?id=9f597246c67939eeee73b2e42c904193c37d14b1
https://git.alpinelinux.org/aports/commit/?id=5524d0802e01fb342f5903cf764bc02a3cf001e0
https://git.alpinelinux.org/aports/commit/?id=bbe0e7a47c997626ab5531f35346431f28b947bd
https://git.alpinelinux.org/aports/commit/?id=5ba4ab63dba572def02e384a6ce330f7fe18aaf7
https://git.alpinelinux.org/aports/commit/?id=4eb3f0ba36d173d0d72b335c97203d6744d3fac3
https://git.alpinelinux.org/aports/commit/?id=31a764089f1e1bb0df223c191bfea1d1ae51ca7f

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.