#VU17266 Use-after-free in libical - CVE-2016-5824
Vulnerability identifier: #VU17266
Vulnerability risk: Low
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID:
CWE-ID:
CWE-416
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
libical
Universal components / Libraries /
Libraries used by multiple products
Vendor: libical
Description
The vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to a use-after-free error when processing ics Calendar files. A remote attackers can trick the victim to open a specially crafted calendar file, trigger user-after-free error and crash the affected application.
Mitigation
Install update from vendor's website.
Vulnerable software versions
libical: 0.47 - 1.0.1
External links
https://www.openwall.com/lists/oss-security/2016/06/25/4
https://www.openwall.com/lists/oss-security/2017/01/20/16
https://bugzilla.mozilla.org/show_bug.cgi?id=1275400
https://github.com/libical/libical/issues/235
https://github.com/libical/libical/issues/251
https://github.com/libical/libical/issues/286
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
