Vulnerabilities > CVE-2017-14062 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | Gnu
| 18 |
OS | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3434-1.NASL description It was discovered that Libidn incorrectly handled decoding certain digits. A remote attacker could use this issue to cause Libidn to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 103645 published 2017-10-03 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103645 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : libidn vulnerability (USN-3434-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1085.NASL description It was discovered that there was an integer overflow vulnerability in libidn2-0 last seen 2020-03-17 modified 2017-09-05 plugin id 102924 published 2017-09-05 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/102924 title Debian DLA-1085-1 : libidn2-0 security update NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1447.NASL description An integer overflow vulnerability was discovered in libidn, the GNU library for Internationalized Domain Names (IDNs), in its Punycode handling (a Unicode characters to ASCII encoding) allowing a remote attacker to cause a denial of service against applications using the library. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 111388 published 2018-07-30 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111388 title Debian DLA-1447-1 : libidn security update NASL family Fedora Local Security Checks NASL id FEDORA_2018-02E23192F5.NASL description Update to the latest upstream release, which fixes CVE-2017-14062. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-04-10 plugin id 108907 published 2018-04-10 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108907 title Fedora 27 : libidn (2018-02e23192f5) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3421-1.NASL description It was discovered that Libidn2 incorrectly handled certain input. A remote attacker could possibly use this issue to cause Libidn2 to crash, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 103325 published 2017-09-19 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103325 title Ubuntu 17.04 : libidn2-0 vulnerability (USN-3421-1) NASL family Fedora Local Security Checks NASL id FEDORA_2017-57722CCD30.NASL description Libidn2 2.0.4 (released 2017-08-30) =================================== - Fix integer overflow in bidi.c/_isBidi() - Fix integer overflow in puny_decode.c/decode_digit() - Improve docs - Fix idna_free() to idn_free() - Update fuzzer corpora Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-09-05 plugin id 102936 published 2017-09-05 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102936 title Fedora 25 : libidn2 (2017-57722ccd30) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-341.NASL description This update for libidn fixes the following issue : - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-04-10 plugin id 108933 published 2018-04-10 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108933 title openSUSE Security Update : libidn (openSUSE-2018-341) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2337.NASL description According to the version of the libidn package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.(CVE-2017-14062) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131502 published 2019-12-03 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131502 title EulerOS Virtualization for ARM 64 3.0.3.0 : libidn (EulerOS-SA-2019-2337) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3988.NASL description An integer overflow vulnerability was discovered in decode_digit() in libidn2-0, the GNU library for Internationalized Domain Names (IDNs), allowing a remote attacker to cause a denial of service against an application using the library (application crash). last seen 2020-06-01 modified 2020-06-02 plugin id 103580 published 2017-10-02 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103580 title Debian DSA-3988-1 : libidn2-0 - security update NASL family Fedora Local Security Checks NASL id FEDORA_2017-B469BE1A72.NASL description Libidn2 2.0.4 (released 2017-08-30) =================================== - Fix integer overflow in bidi.c/_isBidi() - Fix integer overflow in puny_decode.c/decode_digit() - Improve docs - Fix idna_free() to idn_free() - Update fuzzer corpora Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-15 plugin id 105962 published 2018-01-15 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105962 title Fedora 27 : mingw-libidn2 (2017-b469be1a72) NASL family Fedora Local Security Checks NASL id FEDORA_2018-F749C70191.NASL description Update to the latest upstream release, which fixes CVE-2017-14062. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120922 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120922 title Fedora 28 : libidn (2018-f749c70191) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201804-02.NASL description The remote host is affected by the vulnerability described in GLSA-201804-02 (glibc: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in glibc. Please review the CVE identifiers referenced below for details. Impact : An attacker could possibly execute arbitrary code, escalate privileges, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 108822 published 2018-04-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108822 title GLSA-201804-02 : glibc: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1084.NASL description It was discovered that there was an integer overflow vulnerability in libidn last seen 2020-03-17 modified 2017-09-05 plugin id 102923 published 2017-09-05 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/102923 title Debian DLA-1084-1 : libidn security update NASL family Fedora Local Security Checks NASL id FEDORA_2017-2D4EAD8DA9.NASL description Libidn2 2.0.4 (released 2017-08-30) =================================== - Fix integer overflow in bidi.c/_isBidi() - Fix integer overflow in puny_decode.c/decode_digit() - Improve docs - Fix idna_free() to idn_free() - Update fuzzer corpora Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-09-05 plugin id 102934 published 2017-09-05 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102934 title Fedora 26 : libidn2 (2017-2d4ead8da9) NASL family Fedora Local Security Checks NASL id FEDORA_2017-09B1C3F099.NASL description Libidn2 2.0.4 (released 2017-08-30) =================================== - Fix integer overflow in bidi.c/_isBidi() - Fix integer overflow in puny_decode.c/decode_digit() - Improve docs - Fix idna_free() to idn_free() - Update fuzzer corpora Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-15 plugin id 105810 published 2018-01-15 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105810 title Fedora 27 : libidn2 (2017-09b1c3f099) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0878-1.NASL description This update for libidn fixes one issues. This security issue was fixed : - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 108875 published 2018-04-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108875 title SUSE SLED12 / SLES12 Security Update : libidn (SUSE-SU-2018:0878-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0903-1.NASL description This update for libidn fixes one issues. This security issue was fixed : - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 108947 published 2018-04-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108947 title SUSE SLES11 Security Update : libidn (SUSE-SU-2018:0903-1)
References
- http://www.debian.org/security/2017/dsa-3988
- http://www.debian.org/security/2017/dsa-3988
- https://gitlab.com/libidn/libidn2/blob/master/NEWS
- https://gitlab.com/libidn/libidn2/blob/master/NEWS
- https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd
- https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd
- https://lists.debian.org/debian-lts-announce/2018/07/msg00040.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00040.html