#VU13055 Stack-based buffer overflow in icu - CVE-2017-17484

Cybersecurity Help s.r.o.

Published: 2018-05-30

Vulnerability identifier: #VU13055

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-17484

CWE-ID: CWE-121

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
icu
Universal components / Libraries / Libraries used by multiple products

Vendor: ICU - International Components for Unicode

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to stack-based buffer overflow when the ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion. A remote unauthenticated attacker can supply a specially crafted string, as demonstrated by ZNC, trigger memory corruption and cause the service to crash.

Mitigation
Update to the latest version.

Vulnerable software versions

icu: 49.1 - 59.1

External links
https://ssl.icu-project.org/trac/changeset/40714

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Flex System Chassis Management Module (CMM)

OpenSUSE Linux update for icu