#VU17229 Heap use-after-free in Lua - CVE-2019-6706

Cybersecurity Help s.r.o.

Published: 2019-01-27 | Updated: 2021-06-17

Vulnerability identifier: #VU17229

Vulnerability risk: Low

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-6706

CWE-ID: CWE-416

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Lua
Universal components / Libraries / Scripting languages

Vendor: Lua

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a geap use-after-free error in lua_upvaluejoin in lapi.c. A remote attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships can cause the service to crash.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Lua: 5.3.5

External links
https://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html
https://www.exploit-db.com/exploits/46246/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell EMC Cyber Recovery

Red Hat update for lua

Ubuntu update for Lua

OpenSUSE Linux update for lua53

Fedora 29 update for lua

Denial of service in Lua

Heap use-after-free in lua5.3 (Alpine package)