Ubuntu update for libmodbus
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-14462 CVE-2019-14463 |
| CWE-ID | CWE-125 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Ubuntu Operating systems & Components / Operating system libmodbus5 (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU20025
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-14462
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information or perform denial of service attack.
The vulnerability exists due to a boundary condition within MODBUS_FC_WRITE_MULTIPLE_COILS in libmodbus. A local user can submit specially crafted input to the affected aplication, trigger out-of-bounds read error and read contents of memory on the system or perform denial of service attack.
MitigationUpdate the affected package libmodbus to the latest version.
Vulnerable software versionsUbuntu: 18.04
libmodbus5 (Ubuntu package): before 3.0.6-2+deb9u1build0.18.04.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:libmodbus5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5173-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds read
EUVDB-ID: #VU20026
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-14463
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information or perform denial of service attack.
The vulnerability exists due to a boundary condition within MODBUS_FC_WRITE_MULTIPLE_REGISTERS in libmodbus. A local user can submit specially crafted input to the affected aplication, trigger out-of-bounds read error and read contents of memory on the system or perform denial of service attack.
MitigationUpdate the affected package libmodbus to the latest version.
Vulnerable software versionsUbuntu: 18.04
libmodbus5 (Ubuntu package): before 3.0.6-2+deb9u1build0.18.04.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:libmodbus5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5173-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
