#VU29255 Resource exhaustion in UnZip - CVE-2019-13232

Cybersecurity Help s.r.o.

Published: 2020-06-25

Vulnerability identifier: #VU29255

Vulnerability risk: Medium

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-13232

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
UnZip
Client/Desktop applications / Software for archiving

Vendor: Info-ZIP

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack via a specially crafted zip file.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

UnZip: 5.2 - 6.10 b

External links
https://github.com/madler/unzip
https://lists.debian.org/debian-lts-announce/2019/07/msg00005.html
https://lists.debian.org/debian-lts-announce/2019/07/msg00027.html
https://security.gentoo.org/glsa/202003-58
https://security.netapp.com/advisory/ntap-20190814-0002/
https://support.f5.com/csp/article/K80311892?utm_source=f5support&utm_medium=RSS
https://www.bamsoftware.com/hacks/zipbomb/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Oracle Solaris update for thrid-party components

Red Hat Enterprise Linux 7.7 Extended Update Support update for unzip

Red Hat Enterprise Linux 8 update for unzip

Red Hat Enterprise Linux 7 update for unzip

Resource exhaustion in unzip (Alpine package)

Gentoo update for UnZip

Denial of service in Info-ZIP UnZip