Denial of service in LibTomCrypt
| Risk | Low |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-17362 |
| CWE-ID | CWE-125 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
libtomcrypt Universal components / Libraries / Libraries used by multiple products |
| Vendor | LibTom |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Out-of-bounds read
EUVDB-ID: #VU22616
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-17362
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) atttack.
The vulnerability exists due to a boundary condition within the der_decode_utf8_string() function in der_decode_utf8_string.c file in LibTomCrypt. A remote attacker can pass to the application specially crafted DER-encoded data, trigger out-of-bounds read error and cause application crash.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionslibtomcrypt: 1.18.0 - 1.18.2
CPE2.3- cpe:2.3:a:libtom:libtomcrypt:1.18.0:*:*:*:*:*:*:*
- cpe:2.3:a:libtom:libtomcrypt:1.18.1:*:*:*:*:*:*:*
- cpe:2.3:a:libtom:libtomcrypt:1.18.2:*:*:*:*:*:*:*
https://github.com/libtom/libtomcrypt/issues/507
https://github.com/libtom/libtomcrypt/pull/508
https://vuldb.com/?id.142995
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
