#VU88550 Improper Initialization in Binutils - CVE-2020-35342

Cybersecurity Help s.r.o.

Published: 2024-04-16

Vulnerability identifier: #VU88550

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-35342

CWE-ID: CWE-665

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Binutils
Universal components / Libraries / Libraries used by multiple products

Vendor: GNU

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to GNU Binutils has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c). A remote attacker can run a specially crafted application to execute arbitrary code with escalated privileges on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Binutils: before 2.34

External links
https://sourceware.org/bugzilla/show_bug.cgi?id=25319
https://security.netapp.com/advisory/ntap-20231006-0009/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Sterling Order Management

Ubuntu update for binutils