#VU8647 Integer overflow in Libidn2 - CVE-2017-14062

Cybersecurity Help s.r.o.

Published: 2017-10-01 | Updated: 2017-10-02

Vulnerability identifier: #VU8647

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-14062

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Libidn2
Universal components / Libraries / Libraries used by multiple products

Vendor: GNU

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4. A remote attacker can cause a denial of service or possibly have unspecified other impact.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install update from GIT repository:
https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd

Vulnerable software versions

Libidn2: 2.0.1 - 2.0.3

External links
https://gitlab.com/libidn/libidn2/blob/master/NEWS
https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for glibc

Ubuntu update for Libidn

Debian update for libidn2-0

Ubuntu update for Libidn2

Two integer overflows in Libidn2

IBM Flex System Chassis Management Module (CMM) update for Libidn2

IBM Integrated Management Module II (IMM2) update for Libidn2