#VU14470 Infinite loop in Libxml2 - CVE-2018-14567

Cybersecurity Help s.r.o.

Published: 2018-08-20 | Updated: 2018-08-21

Vulnerability identifier: #VU14470

Vulnerability risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-14567

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Libxml2
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the liblzma error code of the GNOME libxml2 library due to an infinite loop condition in the Lempel–Ziv–Markov (LZMA) decompression feature during the processing of XML files. A remote attacker can trick the victim into opening an XML file that submits malicious input, trigger a LZMA_MEMLIMIT_ERROR condition and cause the service to crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Libxml2: 2.9.8

External links
https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)

Amazon Linux AMI update for libxml2

Red Hat Enterprise Linux 7 update for libxml2

Infinite loop in libxml2 (Alpine package)

OpenSUSE Linux update for libxml2

Denial of service in GNOME libxml2