#VU22616 Out-of-bounds read in libtomcrypt - CVE-2019-17362

Cybersecurity Help s.r.o.

Published: 2019-11-10

Vulnerability identifier: #VU22616

Vulnerability risk: Low

CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-17362

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libtomcrypt
Universal components / Libraries / Libraries used by multiple products

Vendor: LibTom

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) atttack.

The vulnerability exists due to a boundary condition within the der_decode_utf8_string() function in der_decode_utf8_string.c file in LibTomCrypt. A remote attacker can pass to the application specially crafted DER-encoded data, trigger out-of-bounds read error and cause application crash.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

libtomcrypt: 1.18.0 - 1.18.2

External links
https://github.com/libtom/libtomcrypt/issues/507
https://github.com/libtom/libtomcrypt/pull/508
https://vuldb.com/?id.142995

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Fedora 38 update for perl-CryptX

Fedora 39 update for perl-CryptX

Fedora 37 update for perl-CryptX

openEuler update for libtomcrypt

OpenSUSE Linux update for libtomcrypt

Denial of service in LibTomCrypt