Vulnerabilities > CVE-2004-0418

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

critical

nessus

NVD

Published: 2004-08-06

Updated: 2018-05-03

Summary

serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data.

Vulnerable Configurations

Part	Description	Count
Application	Cvs CVS CVS 1.10.7 CVS CVS 1.10.8 CVS CVS 1.11 CVS CVS 1.11.1 CVS CVS 1.11.1_P1 CVS CVS 1.11.2 CVS CVS 1.11.3 CVS CVS 1.11.4 CVS CVS 1.11.5 CVS CVS 1.11.6 CVS CVS 1.11.10 CVS CVS 1.11.11 CVS CVS 1.11.14 CVS CVS 1.11.15 CVS CVS 1.11.16 CVS CVS 1.12.1 CVS CVS 1.12.2 CVS CVS 1.12.5 CVS CVS 1.12.7 CVS CVS 1.12.8	20
Application	Openpkg Openpkg Openpkg * Openpkg Openpkg 1.3 Openpkg Openpkg 2.0	3
Application	Sgi SGI Propack 2.4 SGI Propack 3.0	2
OS	Gentoo Gentoo Linux 1.4	1
OS	Openbsd Openbsd Openbsd * Openbsd Openbsd 3.4 Openbsd Openbsd 3.5	3

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_SA_2004_015.NASL
description	The remote host is missing the patch for the advisory SuSE-SA:2004:015 (cvs). The Concurrent Versions System (CVS) offers tools which allow developers to share and maintain large software projects. Various remotely exploitable conditions have been found during a source code review of CVS done by Stefan Esser and Sebastian Krahmer (SuSE Security-Team). These bugs allow remote attackers to execute arbitrary code as the user the CVS server runs as. Since there is no easy workaround we strongly recommend to update the cvs package. The update packages fix vulnerabilities which have been assigned the CAN numbers CVE-2004-0416, CVE-2004-0417 and CVE-2004-0418. The cvs packages shipped by SUSE (as well as our recent updates for CVS) are not vulnerable to CVE-2004-0414. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command
last seen	2020-06-01
modified	2020-06-02
plugin id	13831
published	2004-07-25
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/13831
title	SuSE-SA:2004:015: cvs
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SuSE-SA:2004:015 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(13831); script_version ("1.16"); script_cve_id("CVE-2004-0416", "CVE-2004-0417", "CVE-2004-0418"); name["english"] = "SuSE-SA:2004:015: cvs"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SuSE-SA:2004:015 (cvs). The Concurrent Versions System (CVS) offers tools which allow developers to share and maintain large software projects. Various remotely exploitable conditions have been found during a source code review of CVS done by Stefan Esser and Sebastian Krahmer (SuSE Security-Team). These bugs allow remote attackers to execute arbitrary code as the user the CVS server runs as. Since there is no easy workaround we strongly recommend to update the cvs package. The update packages fix vulnerabilities which have been assigned the CAN numbers CVE-2004-0416, CVE-2004-0417 and CVE-2004-0418. The cvs packages shipped by SUSE (as well as our recent updates for CVS) are not vulnerable to CVE-2004-0414. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/2004_15_cvs.html" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25"); script_cvs_date("Date: 2019/10/25 13:36:27"); script_end_attributes(); summary["english"] = "Check for the version of the cvs package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"cvs-1.11.1p1-332", release:"SUSE8.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"cvs-1.11.1p1-332", release:"SUSE8.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"cvs-1.11.5-114", release:"SUSE8.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"cvs-1.11.6-83", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"cvs-1.11.14-24.6", release:"SUSE9.1") ) { security_hole(0); exit(0); } if (rpm_exists(rpm:"cvs-", release:"SUSE8.0") \|\| rpm_exists(rpm:"cvs-", release:"SUSE8.1") \|\| rpm_exists(rpm:"cvs-", release:"SUSE8.2") \|\| rpm_exists(rpm:"cvs-", release:"SUSE9.0") \|\| rpm_exists(rpm:"cvs-", release:"SUSE9.1") ) { set_kb_item(name:"CVE-2004-0416", value:TRUE); set_kb_item(name:"CVE-2004-0417", value:TRUE); set_kb_item(name:"CVE-2004-0418", value:TRUE); }

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2004-161-01.NASL
description	New cvs packages that have been upgraded to cvs-1.11.17 are available for Slackware 8.1, 9.0, 9.1, and -current to fix various security issues. Sites running a CVS server should upgrade to the new CVS package right away.
last seen	2020-06-01
modified	2020-06-02
plugin id	18779
published	2005-07-13
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/18779
title	Slackware 8.1 / 9.0 / 9.1 / current : cvs (SSA:2004-161-01)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2004-161-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(18779); script_version("1.20"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2004-0414", "CVE-2004-0416", "CVE-2004-0417", "CVE-2004-0418"); script_xref(name:"SSA", value:"2004-161-01"); script_name(english:"Slackware 8.1 / 9.0 / 9.1 / current : cvs (SSA:2004-161-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New cvs packages that have been upgraded to cvs-1.11.17 are available for Slackware 8.1, 9.0, 9.1, and -current to fix various security issues. Sites running a CVS server should upgrade to the new CVS package right away." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.427370 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?898d2588" ); script_set_attribute(attribute:"solution", value:"Update the affected cvs package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:cvs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/06/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"cvs", pkgver:"1.11.17", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.0", pkgname:"cvs", pkgver:"1.11.17", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.1", pkgname:"cvs", pkgver:"1.11.17", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"cvs", pkgver:"1.11.17", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Misc.
NASL id	CVS_MALFORMED_ENTRY_LINES_FLAW.NASL
description	The remote CVS server, according to its version number, might allow an attacker to execute arbitrary commands on the remote system because of a flaw relating to malformed Entry lines which lead to a missing NULL terminator. Among the issues deemed likely to be exploitable were: - A double-free relating to the error_prog_name string. (CVE-2004-0416) - An argument integer overflow. (CVE-2004-0417) - Out-of-bounds writes in serv_notify. (CVE-2004-0418)
last seen	2020-06-01
modified	2020-06-02
plugin id	12265
published	2004-06-09
reporter	This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/12265
title	CVS < 1.11.17 / 1.12.9 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # # Ref: # Date: Wed, 9 Jun 2004 15:00:04 +0200 # From: Stefan Esser <[email protected]> # To: [email protected], [email protected], # [email protected], [email protected] # Subject: Advisory 09/2004: More CVS remote vulnerabilities # include("compat.inc"); if (description) { script_id(12265); script_version("1.28"); script_cve_id("CVE-2004-0414", "CVE-2004-0416", "CVE-2004-0417", "CVE-2004-0418", "CVE-2004-1471"); script_bugtraq_id(10499); script_xref(name:"RHSA", value:"2004:233-017"); script_name(english:"CVS < 1.11.17 / 1.12.9 Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "The remote CVS server is affected by multiple issues." ); script_set_attribute(attribute:"description", value: "The remote CVS server, according to its version number, might allow an attacker to execute arbitrary commands on the remote system because of a flaw relating to malformed Entry lines which lead to a missing NULL terminator. Among the issues deemed likely to be exploitable were: - A double-free relating to the error_prog_name string. (CVE-2004-0416) - An argument integer overflow. (CVE-2004-0417) - Out-of-bounds writes in serv_notify. (CVE-2004-0418)" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/Jun/234" ); script_set_attribute(attribute:"solution", value: "Upgrade to CVS 1.12.9 or 1.11.17." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_publication_date", value: "2004/06/09"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/06/09"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Logs into the remote CVS server and asks the version"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_require_ports("Services/cvspserver", 2401); script_dependencies("find_service1.nasl", "cvs_pserver_heap_overflow.nasl"); exit(0); } include('global_settings.inc'); port = get_kb_item("Services/cvspserver"); if(!port)port = 2401; if(!get_port_state(port))exit(0); version = get_kb_item(string("cvs/", port, "/version")); if ( ! version ) exit(0); if(ereg(pattern:".* 1\.([0-9]\.\|10\.\|11\.([0-9][^0-9]\|1[0-6])\|12\.[0-8][^0-9]).*", string:version)) security_hole(port);

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_CVS_11117.NASL
description	The following package needs to be updated: FreeBSD
last seen	2016-09-26
modified	2011-10-02
plugin id	14282
published	2004-08-17
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=14282
title	FreeBSD : cvs -- numerous vulnerabilities (29)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_CVS_NUMEROUS_VULNS.NASL
description	The remote host is running a version of FreeBSD which contains a version of the 'cvs' utility containing several issues : - An insufficient input validation while processing 'Entry' lines - A double-free issue - An integer overflow when processing 'Max-dotdot' commands - A format string bug when processing cvs wrappers - A single-byte buffer overflow when processing configuration files - Various other integers overflows
last seen	2016-09-26
modified	2011-10-02
plugin id	14812
published	2004-09-24
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=14812
title	FreeBSD : SA-04:14.cvs

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2004-169.NASL
description	While investigating a previously fixed vulnerability, Derek Price discovered a flaw relating to malformed
last seen	2020-06-01
modified	2020-06-02
plugin id	13723
published	2004-07-23
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/13723
title	Fedora Core 1 : cvs-1.11.17-1 (2004-169)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2004-170.NASL
description	While investigating a previously fixed vulnerability, Derek Price discovered a flaw relating to malformed
last seen	2020-06-01
modified	2020-06-02
plugin id	13724
published	2004-07-23
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/13724
title	Fedora Core 2 : cvs-1.11.17-2 (2004-170)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-519.NASL
description	Sebastian Krahmer and Stefan Esser discovered several vulnerabilities in the CVS server, which serves the popular Concurrent Versions System. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2004-0416: double-free() in error_prog_name - CAN-2004-0417: argument integer overflow - CAN-2004-0418: out of bound writes in serve_notify()
last seen	2020-06-01
modified	2020-06-02
plugin id	15356
published	2004-09-29
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15356
title	Debian DSA-519-1 : cvs - several vulnerabilities

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_D2102505F03D11D881B0000347A4FA7D.NASL
description	A number of vulnerabilities were discovered in CVS by Stefan Esser, Sebastian Krahmer, and Derek Price. - Insufficient input validation while processing
last seen	2020-06-01
modified	2020-06-02
plugin id	37427
published	2009-04-23
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/37427
title	FreeBSD : cvs -- numerous vulnerabilities (d2102505-f03d-11d8-81b0-000347a4fa7d)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200406-06.NASL
description	The remote host is affected by the vulnerability described in GLSA-200406-06 (CVS: additional DoS and arbitrary code execution vulnerabilities) A team audit of the CVS source code performed by Stefan Esser and Sebastian Krahmer resulted in the discovery of several remotely exploitable vulnerabilities including: no-null-termination of
last seen	2020-06-01
modified	2020-06-02
plugin id	14517
published	2004-08-30
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/14517
title	GLSA-200406-06 : CVS: additional DoS and arbitrary code execution vulnerabilities

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2004-233.NASL
description	An updated cvs package that fixes several server vulnerabilities, which could be exploited by a malicious client, is now available. CVS is a version control system frequently used to manage source code repositories. While investigating a previously fixed vulnerability, Derek Price discovered a flaw relating to malformed
last seen	2020-06-01
modified	2020-06-02
plugin id	12500
published	2004-07-06
reporter	This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/12500
title	RHEL 2.1 / 3 : cvs (RHSA-2004:233)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-517.NASL
description	Derek Robert Price discovered a potential buffer overflow vulnerability in the CVS server, based on a malformed Entry, which serves the popular Concurrent Versions System.
last seen	2020-06-01
modified	2020-06-02
plugin id	15354
published	2004-09-29
reporter	This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/15354
title	Debian DSA-517-1 : cvs - buffer overflow

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2004-058.NASL
description	Another vulnerability was discovered related to
last seen	2020-06-01
modified	2020-06-02
plugin id	14157
published	2004-07-31
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/14157
title	Mandrake Linux Security Advisory : cvs (MDKSA-2004:058)

Oval

accepted

2004-08-04T12:00:00.000-04:00

class

vulnerability

contributors

name	Jay Beale
organization	Bastille Linux

description

family

unix

oval:org.mitre.oval:def:1003

status

accepted

submitted

2004-06-29T12:00:00.000-04:00

title

CVS serve_notify Improper Handling of Empty Data Lines

version

accepted

2013-04-29T04:12:37.748-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651

description

family

unix

oval:org.mitre.oval:def:11242

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

Redhat

advisories

rhsa

id	RHSA-2004:233

rpms

cvs-0:1.11.2-24
cvs-debuginfo-0:1.11.2-24

Vulnerabilities > CVE-2004-0418 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2004-0418"}]}

Summary

Vulnerable Configurations

Nessus

Oval

Redhat

References

Vulnerabilities > CVE-2004-0418