Vulnerabilities > CVE-2017-15722 - Out-of-bounds Read vulnerability in multiple products

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
high complexity
irssi
debian
CWE-125
nessus

Summary

In certain cases, Irssi before 1.0.5 may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1189.NASL
    descriptionThis security update for irssi to version 1.0.5 addresses the following security issues : - CVE-2017-15228: When installing themes with unterminated colour formatting sequences, Irssi may access data beyond the end of the string. This issue could have resulted in denial of service (remote crash) when installing a malicious or broken theme file. - CVE-2017-15227: While waiting for the channel synchronisation, Irssi may incorrectly fail to remove destroyed channels from the query list, resulting in use after free conditions when updating the state later on. This issue could have caused denial of service (remote crash) when connecting to a malicious or broken ircd. - CVE-2017-15721: Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference. This issue could have caused denial of service (remote crash) when connecting to a malicious or broken ircd. - CVE-2017-15723: Overlong nicks or targets may result in a NULL pointer dereference while splitting the message. This issue could have caused denial of service (remote crash) when connecting to a malicious or broken ircd. - CVE-2017-15722: In certain cases Irssi may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string.
    last seen2020-06-05
    modified2017-10-24
    plugin id104114
    published2017-10-24
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104114
    titleopenSUSE Security Update : irssi (openSUSE-2017-1189)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2017-1189.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104114);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-15227", "CVE-2017-15228", "CVE-2017-15721", "CVE-2017-15722", "CVE-2017-15723");
    
      script_name(english:"openSUSE Security Update : irssi (openSUSE-2017-1189)");
      script_summary(english:"Check for the openSUSE-2017-1189 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This security update for irssi to version 1.0.5 addresses the
    following security issues :
    
      - CVE-2017-15228: When installing themes with unterminated
        colour formatting sequences, Irssi may access data
        beyond the end of the string. This issue could have
        resulted in denial of service (remote crash) when
        installing a malicious or broken theme file.
    
      - CVE-2017-15227: While waiting for the channel
        synchronisation, Irssi may incorrectly fail to remove
        destroyed channels from the query list, resulting in use
        after free conditions when updating the state later on.
        This issue could have caused denial of service (remote
        crash) when connecting to a malicious or broken ircd.
    
      - CVE-2017-15721: Certain incorrectly formatted DCC CTCP
        messages could cause NULL pointer dereference. This
        issue could have caused denial of service (remote crash)
        when connecting to a malicious or broken ircd.
    
      - CVE-2017-15723: Overlong nicks or targets may result in
        a NULL pointer dereference while splitting the message.
        This issue could have caused denial of service (remote
        crash) when connecting to a malicious or broken ircd.
    
      - CVE-2017-15722: In certain cases Irssi may fail to
        verify that a Safe channel ID is long enough, causing
        reads beyond the end of the string."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1064540"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected irssi packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:irssi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:irssi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:irssi-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:irssi-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.2", reference:"irssi-1.0.5-14.14.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"irssi-debuginfo-1.0.5-14.14.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"irssi-debugsource-1.0.5-14.14.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"irssi-devel-1.0.5-14.14.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"irssi-1.0.5-17.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"irssi-debuginfo-1.0.5-17.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"irssi-debugsource-1.0.5-17.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"irssi-devel-1.0.5-17.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "irssi / irssi-debuginfo / irssi-debugsource / irssi-devel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1217.NASL
    descriptionMultiple vulnerabilities have been discovered in Irssi, a terminal based IRC client, which may lead to denial of service or other unspecified impact. For Debian 7
    last seen2020-03-17
    modified2017-12-26
    plugin id105424
    published2017-12-26
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105424
    titleDebian DLA-1217-1 : irssi security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1284.NASL
    descriptionAccording to the versions of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Irssi before 1.0.5, when installing themes with unterminated colour formatting sequences, may access data beyond the end of the string.(CVE-2017-15228) - Irssi before 1.0.5, while waiting for the channel synchronisation, may incorrectly fail to remove destroyed channels from the query list, resulting in use-after-free conditions when updating the state later on.(CVE-2017-15227) - In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages could cause a NULL pointer dereference. This is a separate, but similar, issue relative to CVE-2017-9468.(CVE-2017-15721) - In certain cases, Irssi before 1.0.5 may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string.(CVE-2017-15722) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-12-01
    plugin id104903
    published2017-12-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104903
    titleEulerOS 2.0 SP2 : irssi (EulerOS-SA-2017-1284)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4016.NASL
    descriptionMultiple vulnerabilities have been discovered in Irssi, a terminal based IRC client. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2017-10965 Brian
    last seen2020-06-01
    modified2020-06-02
    plugin id104400
    published2017-11-06
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104400
    titleDebian DSA-4016-1 : irssi - security update
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3465-1.NASL
    descriptionBrian Carpenter discovered that Irssi incorrectly handled messages with invalid time stamps. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-10965) Brian Carpenter discovered that Irssi incorrectly handled the internal nick list. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-10966) Joseph Bisch discovered that Irssi incorrectly removed destroyed channels from the query list. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-15227) Hanno Bock discovered that Irssi incorrectly handled themes. If a user were tricked into using a malicious theme, a attacker could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-15228) Joseph Bisch discovered that Irssi incorrectly handled certain DCC CTCP messages. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-15721) Joseph Bisch discovered that Irssi incorrectly handled certain channel IDs. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-15722) Joseph Bisch discovered that Irssi incorrectly handled certain long nicks or targets. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-15723). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104212
    published2017-10-27
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104212
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : irssi vulnerabilities (USN-3465-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_85E2C7EBB74B11E785465CF3FCFDD1F1.NASL
    descriptionIrssi reports : When installing themes with unterminated colour formatting sequences, Irssi may access data beyond the end of the string. While waiting for the channel synchronisation, Irssi may incorrectly fail to remove destroyed channels from the query list, resulting in use after free conditions when updating the state later on. Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference. Overlong nicks or targets may result in a NULL pointer dereference while splitting the message. In certain cases Irssi may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string.
    last seen2020-06-01
    modified2020-06-02
    plugin id104062
    published2017-10-23
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104062
    titleFreeBSD : irssi -- multiple vulnerabilities (85e2c7eb-b74b-11e7-8546-5cf3fcfdd1f1)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2017-298-01.NASL
    descriptionNew irssi packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104146
    published2017-10-26
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104146
    titleSlackware 14.0 / 14.1 / 14.2 / current : irssi (SSA:2017-298-01)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1283.NASL
    descriptionAccording to the versions of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Irssi before 1.0.5, when installing themes with unterminated colour formatting sequences, may access data beyond the end of the string.(CVE-2017-15228) - Irssi before 1.0.5, while waiting for the channel synchronisation, may incorrectly fail to remove destroyed channels from the query list, resulting in use-after-free conditions when updating the state later on.(CVE-2017-15227) - In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages could cause a NULL pointer dereference. This is a separate, but similar, issue relative to CVE-2017-9468.(CVE-2017-15721) - In certain cases, Irssi before 1.0.5 may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string.(CVE-2017-15722) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-12-01
    plugin id104902
    published2017-12-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104902
    titleEulerOS 2.0 SP1 : irssi (EulerOS-SA-2017-1283)