#VU6170 Off-by-one error in Compress::Raw::Zlib - CVE-2009-1391

Cybersecurity Help s.r.o.

Published: 2017-03-24

Vulnerability identifier: #VU6170

Vulnerability risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2009-1391

CWE-ID: CWE-193

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Compress::Raw::Zlib
Client/Desktop applications / Software for archiving

Vendor: Perl

Description
The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to off-by-one error in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017 when processing specially crafted zlib archives. A remote attacker can pass a specially crafted zlib archive to vulnerable application, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation may allow an attacker to compromise vulnerable system.

Note: this vulnerability is being actively exploited in the wild against AMaViS and SpamAssassin, which use vulnerable Perl module.

Mitigation
Update Compress::Raw::Zlib Perl module to version 2.017.

Vulnerable software versions

Compress::Raw::Zlib: 2.015

External links
https://bugzilla.redhat.com/show_bug.cgi?id=504386
https://code.activestate.com/lists/activeperl/%3c00e401ca276c$9deaea50$d9c0bef0$@com%3e/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Ubuntu update for Perl

Remote code execution in Compress::Raw::Zlib Perl module