Vulnerabilities > CVE-2015-5380 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence.

Vulnerable Configurations

Part Description Count
Application
Google
1
Application
Iojs
10
Application
Nodejs
494

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL17238.NASL
    descriptionThe Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence.
    last seen2020-06-01
    modified2020-06-02
    plugin id85855
    published2015-09-09
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85855
    titleF5 Networks BIG-IP : Node.js vulnerability (SOL17238)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from F5 Networks BIG-IP Solution SOL17238.
    #
    # The text description of this plugin is (C) F5 Networks.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(85855);
      script_version("2.6");
      script_cvs_date("Date: 2019/01/04 10:03:40");
    
      script_cve_id("CVE-2015-5380");
      script_bugtraq_id(75556);
    
      script_name(english:"F5 Networks BIG-IP : Node.js vulnerability (SOL17238)");
      script_summary(english:"Checks the BIG-IP version.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote device is missing a vendor-supplied security patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in
    Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and
    2.x before 2.3.3, and other products, does not verify that there is
    memory available for a UTF-16 surrogate pair, which allows remote
    attackers to cause a denial of service (memory corruption) or possibly
    have unspecified other impact via a crafted byte sequence."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://support.f5.com/csp/article/K17238"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade to one of the non-vulnerable versions listed in the F5
    Solution SOL17238."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/09/08");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"F5 Networks Local Security Checks");
    
      script_dependencies("f5_bigip_detect.nbin");
      script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version");
    
      exit(0);
    }
    
    
    include("f5_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    version = get_kb_item("Host/BIG-IP/version");
    if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
    if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
    if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");
    
    sol = "SOL17238";
    vmatrix = make_array();
    
    # AFM
    vmatrix["AFM"] = make_array();
    vmatrix["AFM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.0");
    vmatrix["AFM"]["unaffected"] = make_list("12.1.0","12.0.0HF3","11.6.1","11.3.0-11.4.1");
    
    # AM
    vmatrix["AM"] = make_array();
    vmatrix["AM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.0");
    vmatrix["AM"]["unaffected"] = make_list("12.1.0","12.0.0HF3","11.6.1","11.4.0-11.4.1");
    
    # APM
    vmatrix["APM"] = make_array();
    vmatrix["APM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.0");
    vmatrix["APM"]["unaffected"] = make_list("12.1.0","12.0.0HF3","11.6.1","11.0.0-11.4.1","10.1.0-10.2.4");
    
    # ASM
    vmatrix["ASM"] = make_array();
    vmatrix["ASM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.0");
    vmatrix["ASM"]["unaffected"] = make_list("12.1.0","12.0.0HF3","11.6.1","11.0.0-11.4.1","10.1.0-10.2.4");
    
    # AVR
    vmatrix["AVR"] = make_array();
    vmatrix["AVR"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.0");
    vmatrix["AVR"]["unaffected"] = make_list("12.1.0","12.0.0HF3","11.6.1","11.0.0-11.4.1");
    
    # GTM
    vmatrix["GTM"] = make_array();
    vmatrix["GTM"]["affected"  ] = make_list("11.5.0-11.6.0");
    vmatrix["GTM"]["unaffected"] = make_list("11.6.1","11.0.0-11.4.1","10.1.0-10.2.4");
    
    # LC
    vmatrix["LC"] = make_array();
    vmatrix["LC"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.0");
    vmatrix["LC"]["unaffected"] = make_list("12.1.0","12.0.0HF3","11.6.1","11.0.0-11.4.1","10.1.0-10.2.4");
    
    # LTM
    vmatrix["LTM"] = make_array();
    vmatrix["LTM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.0");
    vmatrix["LTM"]["unaffected"] = make_list("12.1.0","12.0.0HF3","11.6.1","11.0.0-11.4.1","10.1.0-10.2.4");
    
    # PEM
    vmatrix["PEM"] = make_array();
    vmatrix["PEM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.0");
    vmatrix["PEM"]["unaffected"] = make_list("12.1.0","12.0.0HF3","11.6.1","11.3.0-11.4.1");
    
    
    if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
    {
      if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = bigip_get_tested_modules();
      audit_extra = "For BIG-IP module(s) " + tested + ",";
      if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
      else audit(AUDIT_HOST_NOT, "running any of the affected modules");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_864E6F75237211E586FF14DAE9D210B8.NASL
    descriptionnode reports : This release of Node.js fixes a bug that triggers an out-of-band write in V8
    last seen2020-06-01
    modified2020-06-02
    plugin id84524
    published2015-07-06
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84524
    titleFreeBSD : node, iojs, and v8 -- denial of service (864e6f75-2372-11e5-86ff-14dae9d210b8)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84524);
      script_version("2.6");
      script_cvs_date("Date: 2018/12/19 13:21:18");
    
      script_cve_id("CVE-2015-5380");
    
      script_name(english:"FreeBSD : node, iojs, and v8 -- denial of service (864e6f75-2372-11e5-86ff-14dae9d210b8)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "node reports :
    
    This release of Node.js fixes a bug that triggers an out-of-band write
    in V8's utf-8 decoder. This bug impacts all Buffer to String
    conversions. This is an important security update as this bug can be
    used to cause a denial of service attack."
      );
      # http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/
      script_set_attribute(
        attribute:"see_also",
        value:"https://nodejs.org/en/blog/release/v0.12.6/"
      );
      # https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6fdf6
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5294b12d"
      );
      # https://github.com/nodejs/io.js/commit/030f8045c706a8c3925ec7cb3184fdfae4ba8676
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6146c0d5"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://codereview.chromium.org/1226493003"
      );
      # https://vuxml.freebsd.org/freebsd/864e6f75-2372-11e5-86ff-14dae9d210b8.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c788021f"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:iojs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:node");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:node-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:v8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:v8-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"node<0.12.6")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"node-devel<0.12.6")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"iojs<2.3.3")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"v8<=3.18.5")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"v8-devel<=3.27.7_2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");