Vulnerabilities > CVE-2017-16879 - Out-of-bounds Write vulnerability in GNU Ncurses 6.0
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0053_NCURSES.NASL description An update of the ncurses package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121777 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121777 title Photon OS 2.0: Ncurses PHSA-2017-0053 code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2017-0053. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(121777); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2019/02/07"); script_cve_id("CVE-2017-16879"); script_name(english:"Photon OS 2.0: Ncurses PHSA-2017-0053"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the ncurses package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-2-6.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-16879"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/13"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:ncurses"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-2.0", reference:"ncurses-6.0-13.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"ncurses-compat-6.0-13.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"ncurses-debuginfo-6.0-13.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"ncurses-devel-6.0-13.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"ncurses-libs-6.0-13.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"ncurses-terminfo-6.0-13.ph2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ncurses"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1006.NASL description According to the version of the ncurses packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.(CVE-2017-16879) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-01-19 plugin id 106147 published 2018-01-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106147 title EulerOS 2.0 SP2 : ncurses (EulerOS-SA-2018-1006) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(106147); script_version("3.11"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2017-16879" ); script_name(english:"EulerOS 2.0 SP2 : ncurses (EulerOS-SA-2018-1006)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the ncurses packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.(CVE-2017-16879) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1006 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?61cb8b4e"); script_set_attribute(attribute:"solution", value: "Update the affected ncurses package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/19"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ncurses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ncurses-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ncurses-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ncurses-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ncurses-term"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["ncurses-5.9-13.20130511.h1", "ncurses-base-5.9-13.20130511.h1", "ncurses-devel-5.9-13.20130511.h1", "ncurses-libs-5.9-13.20130511.h1", "ncurses-term-5.9-13.20130511.h1"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ncurses"); }NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0053_APR.NASL description An update of the apr package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121776 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121776 title Photon OS 2.0: Apr PHSA-2017-0053 NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201804-13.NASL description The remote host is affected by the vulnerability described in GLSA-201804-13 (ncurses: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in ncurses. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by enticing the user to process untrusted terminfo or other data, could execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 109097 published 2018-04-18 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/109097 title GLSA-201804-13 : ncurses: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-3183-1.NASL description This update for ncurses fixes the following issues: Security issues fixed : - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-16879: Fix stack-based buffer overflow in the _nc_write_entry() function (bsc#1069530). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104993 published 2017-12-04 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104993 title SUSE SLES11 Security Update : ncurses (SUSE-SU-2017:3183-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0053.NASL description An update of [apr,ncurses] packages for PhotonOS has been released. last seen 2019-02-08 modified 2019-02-07 plugin id 111902 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111902 title Photon OS 2.0: Apr / Ncurses PHSA-2017-0053 (deprecated) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1005.NASL description According to the version of the ncurses packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.(CVE-2017-16879) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-01-19 plugin id 106146 published 2018-01-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106146 title EulerOS 2.0 SP1 : ncurses (EulerOS-SA-2018-1005) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-1_0-0093.NASL description An update of 'linux', 'krb5', 'subversion', 'apr', 'ncurses' packages of Photon OS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111903 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111903 title Photon OS 1.0: Apr / Krb5 / Linux / Ncurses / Subversion PHSA-2017-1.0-0093 (deprecated) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-1_0-0093_NCURSES.NASL description An update of the ncurses package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121781 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121781 title Photon OS 1.0: Ncurses PHSA-2017-1.0-0093
References
- http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html
- http://invisible-island.net/ncurses/NEWS.html#t20171125
- https://tools.cisco.com/security/center/viewAlert.x?alertId=57695
- https://security.gentoo.org/glsa/201804-13
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E