#VU1590 Stack-based buffer overflow in libtASN1 - CVE-2015-2806


| Updated: 2017-08-03

Vulnerability identifier: #VU1590

Vulnerability risk: Low

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-2806

CWE-ID: CWE-121

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libtASN1
Universal components / Libraries / Libraries used by multiple products

Vendor: GNU

Description
The vulnerability allows a remote attacker to bypass security restrictions.

The weakness exists due to stack-based buffer overflow in asn1_der_decoding. A remote attacker can trigger memory corruption and have unspecified impact on the system.

Mitigation
Update to version 4.4 or later.

Vulnerable software versions

libtASN1: 0.1.0 - 4.3

External links
https://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=4d4f992826a4962790ecd0cce6fbba4a415ce149

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat update for GNU libtasn1
Debian update for libtasn1-3
Gentoo update for libtasn1
Stack-based buffer overflow in libtasn1 (Alpine package)
Fedora EPEL 7 update for mingw-gnutls, mingw-libtasn1, mingw-p11-kit
Ubuntu update for Libtasn1
Arch Linux update for libtasn1
Fedora 22 update for mingw-gnutls, mingw-libtasn1
Fedora 21 update for mingw-gnutls, mingw-libtasn1
Fedora 21 update for libtasn1