Vulnerabilities > CVE-2010-2448 - Denial Of Service vulnerability in ZNC NULL Pointer Dereference
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
znc.cpp in ZNC before 0.092 allows remote authenticated users to cause a denial of service (crash) by requesting traffic statistics when there is an active unauthenticated connection, which triggers a NULL pointer dereference, as demonstrated using (1) a traffic link in the web administration pages or (2) the traffic command in the /znc shell. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference'
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | Znc
| 40 |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2010-10078.NASL description Bug 603915 - znc: NULL pointer dereference flaw leads to segfault under certain conditions A Debian bug report [1] noted that ZNC would segfault under certain conditions, such as clicking last seen 2020-06-01 modified 2020-06-02 plugin id 47207 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47207 title Fedora 12 : znc-0.090-2.fc12 (2010-10078) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2010-10078. # include("compat.inc"); if (description) { script_id(47207); script_version("1.10"); script_cvs_date("Date: 2019/08/02 13:32:31"); script_cve_id("CVE-2010-2448"); script_bugtraq_id(40982); script_xref(name:"FEDORA", value:"2010-10078"); script_name(english:"Fedora 12 : znc-0.090-2.fc12 (2010-10078)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Bug 603915 - znc: NULL pointer dereference flaw leads to segfault under certain conditions A Debian bug report [1] noted that ZNC would segfault under certain conditions, such as clicking 'traffic' in the webadmin pages or issuing the traffic command on the /znc shell. This has been corrected upstream [2]. This vulnerability was reported against 0.090 which is the version that Fedora provides. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584929 [2] http://znc.svn.sourceforge.net/viewvc/znc?view=rev&revision=2026 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584929 script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584929" ); script_set_attribute( attribute:"see_also", value:"http://znc.svn.sourceforge.net/viewvc/znc?view=rev&revision=2026" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=603915" ); # https://lists.fedoraproject.org/pipermail/package-announce/2010-June/043043.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e3d1bf0f" ); script_set_attribute(attribute:"solution", value:"Update the affected znc package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:znc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:12"); script_set_attribute(attribute:"patch_publication_date", value:"2010/06/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^12([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 12.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC12", reference:"znc-0.090-2.fc12")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "znc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2010-10082.NASL description Bug 603915 - znc: NULL pointer dereference flaw leads to segfault under certain conditions A Debian bug report [1] noted that ZNC would segfault under certain conditions, such as clicking last seen 2020-06-01 modified 2020-06-02 plugin id 47208 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47208 title Fedora 11 : znc-0.090-2.fc11 (2010-10082) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2010-10082. # include("compat.inc"); if (description) { script_id(47208); script_version("1.10"); script_cvs_date("Date: 2019/08/02 13:32:31"); script_cve_id("CVE-2010-2448"); script_bugtraq_id(40982); script_xref(name:"FEDORA", value:"2010-10082"); script_name(english:"Fedora 11 : znc-0.090-2.fc11 (2010-10082)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Bug 603915 - znc: NULL pointer dereference flaw leads to segfault under certain conditions A Debian bug report [1] noted that ZNC would segfault under certain conditions, such as clicking 'traffic' in the webadmin pages or issuing the traffic command on the /znc shell. This has been corrected upstream [2]. This vulnerability was reported against 0.090 which is the version that Fedora provides. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584929 [2] http://znc.svn.sourceforge.net/viewvc/znc?view=rev&revision=2026 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584929 script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584929" ); script_set_attribute( attribute:"see_also", value:"http://znc.svn.sourceforge.net/viewvc/znc?view=rev&revision=2026" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=603915" ); # https://lists.fedoraproject.org/pipermail/package-announce/2010-June/043044.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d3066ac5" ); script_set_attribute(attribute:"solution", value:"Update the affected znc package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:znc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:11"); script_set_attribute(attribute:"patch_publication_date", value:"2010/06/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^11([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 11.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC11", reference:"znc-0.090-2.fc11")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "znc"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2069.NASL description It was discovered that ZNC, an IRC bouncer, is vulnerable to denial of service attacks via a NULL pointer dereference when traffic statistics are requested while there is an unauthenticated connection. last seen 2020-06-01 modified 2020-06-02 plugin id 47705 published 2010-07-13 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47705 title Debian DSA-2069-1 : znc - denial of service NASL family Fedora Local Security Checks NASL id FEDORA_2010-10042.NASL description Bug 603915 - znc: NULL pointer dereference flaw leads to segfault under certain conditions A Debian bug report [1] noted that ZNC would segfault under certain conditions, such as clicking last seen 2020-06-01 modified 2020-06-02 plugin id 47205 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47205 title Fedora 13 : znc-0.090-2.fc13 (2010-10042)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584929
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043000.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043043.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043044.html
- http://secunia.com/advisories/40523
- http://sourceforge.net/projects/znc/files/znc/0.092/znc-0.092-changelog.txt/view
- http://www.debian.org/security/2010/dsa-2069
- http://www.securityfocus.com/bid/40982
- http://www.vupen.com/english/advisories/2010/1775
- http://znc.svn.sourceforge.net/viewvc/znc/trunk/znc.cpp?r1=2025&r2=2026&pathrev=2026
- http://znc.svn.sourceforge.net/viewvc/znc?revision=2026&view=revision