#VU11262 Improper resource shutdown in Binutils - CVE-2018-8945

Cybersecurity Help s.r.o.

Published: 2018-03-26

Vulnerability identifier: #VU11262

Vulnerability risk: Low

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2018-8945

CWE-ID: CWE-404

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Binutils
Universal components / Libraries / Libraries used by multiple products

Vendor: GNU

Description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the bfd_section_from_shdr function due to improper bounds checking. A remote attacker can submit a specially crafted ELF file and cause the service to crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Binutils: 2.30

External links
https://sourceware.org/bugzilla/show_bug.cgi?id=22809

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Improper resource shutdown in binutils (Alpine package)

Gentoo update for Binutils

Denial of service in GNU Binutils