#VU32621 Use-after-free in lighttpd - CVE-2013-4560

Cybersecurity Help s.r.o.

Published: 2013-11-20 | Updated: 2020-07-28

Vulnerability identifier: #VU32621

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2013-4560

CWE-ID: CWE-416

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
lighttpd
Server applications / Web servers

Vendor: lighttpd

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing unspecified vectors that trigger FAMMonitorDirectory failures. A remote attackers can cause a denial of service (segmentation fault and crash).

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation
Update to version 1.4.33.

Vulnerable software versions

lighttpd: 1.4.1 - 1.4.32

External links
https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt
https://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html
https://marc.info/?l=bugtraq&m=141576815022399&w=2
https://secunia.com/advisories/55682
https://www.openwall.com/lists/oss-security/2013/11/12/4
https://www.debian.org/security/2013/dsa-2795

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in HP Remote Device Access: Virtual Customer Access System (vCAS)

Gentoo update for lighttpd

Amazon Linux AMI update for lighttpd

Fedora EPEL 5 update for lighttpd

Fedora EPEL 6 update for lighttpd

Use-after-free in lighttpd

Use-after-free in lighttpd (Alpine package)