#VU17375 Resource exhaustion in elfutils - CVE-2019-7148

Cybersecurity Help s.r.o.

Published: 2019-02-05

Vulnerability identifier: #VU17375

Vulnerability risk: Low

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-7148

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
elfutils
Server applications / File servers (FTP/HTTP)

Vendor: Sourceware

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the libelf component due to improper handling of Executable and Linkable Format (ELF) files by the read_long_names function, as defined in the elf_begin.c source code file. A remote attacker can trick the victim into accessing an ELF file that submits malicious input and cause the affected application to improperly allocate excessive memory resources, resulting in a DoS condition.

Mitigation
Cybersecurity Help in currently unaware of any official solution to address the vulnerability.

Vulnerable software versions

elfutils: 0.174

External links
https://sourceware.org/bugzilla/show_bug.cgi?id=24085

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

SUSE update for dwarves and elfutils

Resource exhaustion in elfutils (Alpine package)

Arch Linux update for libelf

Denial of service in elfutils