#VU19504 OS Command Injection in Patch - CVE-2019-13638

Cybersecurity Help s.r.o.

Published: 2019-07-28

Vulnerability identifier: #VU19504

Vulnerability risk: Low

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-13638

CWE-ID: CWE-78

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Patch
Server applications / File servers (FTP/HTTP)

Vendor: GNU

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of ed style diff payload with shell metacharacters in patch files. A remote attacker can trick the victim to use a specially crafted patch file and execute arbitrary OS commands.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Patch: 2.7.0 - 2.7.6

External links
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
https://security-tracker.debian.org/tracker/CVE-2019-13638
https://www.debian.org/security/2019/dsa-4489

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat update for patch

Red Hat Enterprise Linux 7.6 Extended Update Support update for patch

Amazon Linux AMI update for patch

Red Hat update for patch

Gentoo update for Patch

OS Command Injection in patch (Alpine package)

Debian update for patch

Fedora 30 update for patch