Vulnerabilities > CVE-2014-9087 - Integer Underflow (Wrap or Wraparound) vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 | |
| OS | 2 | |
| OS | 3 | |
| Application | 3 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-151.NASL description Updated libksba packages fix security vulnerability : By using special crafted S/MIME messages or ECC based OpenPGP data, it is possible to create a buffer overflow, which could lead to a denial of service (CVE-2014-9087). last seen 2020-06-01 modified 2020-06-02 plugin id 82404 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82404 title Mandriva Linux Security Advisory : libksba (MDVSA-2015:151) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-799.NASL description This libksba update fixes the following security issue : - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) last seen 2020-06-05 modified 2014-12-23 plugin id 80212 published 2014-12-23 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80212 title openSUSE Security Update : libksba (openSUSE-SU-2014:1682-1) NASL family Fedora Local Security Checks NASL id FEDORA_2014-15847.NASL description Minor update from upstream fixing moderate impact security issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-12-06 plugin id 79752 published 2014-12-06 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79752 title Fedora 20 : libksba-1.3.2-1.fc20 (2014-15847) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-234.NASL description Updated libksba packages fix security vulnerability : By using special crafted S/MIME messages or ECC based OpenPGP data, it is possible to create a buffer overflow, which could lead to a denial of service (CVE-2014-9087). last seen 2020-06-01 modified 2020-06-02 plugin id 79630 published 2014-12-01 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79630 title Mandriva Linux Security Advisory : libksba (MDVSA-2014:234) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3078.NASL description An integer underflow flaw, leading to a heap-based buffer overflow, was found in the ksba_oid_to_str() function of libksba, an X.509 and CMS (PKCS#7) library. By using special crafted S/MIME messages or ECC based OpenPGP data, it is possible to create a buffer overflow, which could cause an application using libksba to crash (denial of service), or potentially, execute arbitrary code. last seen 2020-03-17 modified 2014-11-28 plugin id 79600 published 2014-11-28 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79600 title Debian DSA-3078-1 : libksba - security update NASL family Debian Local Security Checks NASL id DEBIAN_DLA-141.NASL description A vulnerability has been fixed in the libksba X.509 and CMS support library : CVE-2014-9087 Fix buffer overflow in ksba_oid_to_str reported by Hanno Böck. We recommend that you upgrade your libksba packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-03-26 plugin id 82124 published 2015-03-26 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82124 title Debian DLA-141-1 : libksba security update NASL family Fedora Local Security Checks NASL id FEDORA_2014-15838.NASL description Minor update from upstream fixing moderate impact security issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-12-07 plugin id 79786 published 2014-12-07 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79786 title Fedora 19 : libksba-1.3.2-1.fc19 (2014-15838) NASL family Fedora Local Security Checks NASL id FEDORA_2014-15863.NASL description Minor update from upstream fixing moderate impact security issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-12-07 plugin id 79788 published 2014-12-07 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79788 title Fedora 21 : libksba-1.3.2-1.fc21 (2014-15863) NASL family SuSE Local Security Checks NASL id SUSE_11_LIBKSBA-141211.NASL description This libksba update fixes the following security issue : - buffer overflow in ksba_oid_to_str (CVE-2014-9087). (bnc#907074) last seen 2020-06-05 modified 2014-12-22 plugin id 80166 published 2014-12-22 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80166 title SuSE 11.3 Security Update : libksba (SAT Patch Number 10087) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2427-1.NASL description Hanno Bock discovered that Libksba incorrectly handled certain S/MIME messages or ECC based OpenPGP data. An attacker could use this issue to cause Libksba to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 79623 published 2014-11-28 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79623 title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : libksba vulnerability (USN-2427-1)
References
- http://secunia.com/advisories/60189
- http://secunia.com/advisories/60073
- http://secunia.com/advisories/60233
- https://blog.fuzzing-project.org/2-Buffer-overflow-and-other-minor-issues-in-GnuPG-and-libksba-TFPA-0012014.html
- http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html
- http://www.ubuntu.com/usn/USN-2427-1
- http://www.debian.org/security/2014/dsa-3078
- http://advisories.mageia.org/MGASA-2014-0498.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:234
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:151
- http://www.securityfocus.com/bid/71285