#VU15691 Buffer overflow in Icecast - CVE-2018-18820


Vulnerability identifier: #VU15691

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-18820

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Icecast
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor: Icecast.org

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing URL in url_add_client() function in auth_url.c. A remote unauthenticated attacker can send an overly long URL to the affected server, trigger buffer overflow and crash the server or execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Icecast: 2.4.0 - 2.4.3

External links
https://gitlab.xiph.org/xiph/icecast-server/issues/2342

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for icecast
Gentoo update for Icecast
Fedora EPEL 6 update for icecast
Buffer overflow in icecast (Alpine package)
Debian update for icecast2
Fedora EPEL 7 update for icecast
Fedora 27 update for icecast
Fedora 28 update for icecast
Fedora 29 update for icecast
Remote code execution in Icecast server