Vulnerabilities > CVE-2017-17484 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Icu-Project International Components for Unicode

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
icu-project
CWE-119
critical
nessus

Summary

The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.

Vulnerable Configurations

Part Description Count
Application
Icu-Project
84

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-517.NASL
    descriptionicu was updated to fix two security issues. These security issues were fixed : - CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) used an integer data type that is inconsistent with a header file, which allowed remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text (bsc#929629). - CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) did not properly track directionally isolated pieces of text, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text (bsc#929629). - CVE-2016-6293: The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) for C/C++ did not ensure that there is a
    last seen2020-06-05
    modified2018-05-25
    plugin id110107
    published2018-05-25
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110107
    titleopenSUSE Security Update : icu (openSUSE-2018-517)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-517.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110107);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2014-8146", "CVE-2014-8147", "CVE-2016-6293", "CVE-2017-14952", "CVE-2017-15422", "CVE-2017-17484", "CVE-2017-7867", "CVE-2017-7868");
    
      script_name(english:"openSUSE Security Update : icu (openSUSE-2018-517)");
      script_summary(english:"Check for the openSUSE-2018-517 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "icu was updated to fix two security issues.
    
    These security issues were fixed :
    
      - CVE-2014-8147: The resolveImplicitLevels function in
        common/ubidi.c in the Unicode Bidirectional Algorithm
        implementation in ICU4C in International Components for
        Unicode (ICU) used an integer data type that is
        inconsistent with a header file, which allowed remote
        attackers to cause a denial of service (incorrect malloc
        followed by invalid free) or possibly execute arbitrary
        code via crafted text (bsc#929629).
    
      - CVE-2014-8146: The resolveImplicitLevels function in
        common/ubidi.c in the Unicode Bidirectional Algorithm
        implementation in ICU4C in International Components for
        Unicode (ICU) did not properly track directionally
        isolated pieces of text, which allowed remote attackers
        to cause a denial of service (heap-based buffer
        overflow) or possibly execute arbitrary code via crafted
        text (bsc#929629).
    
      - CVE-2016-6293: The uloc_acceptLanguageFromHTTP function
        in common/uloc.cpp in International Components for
        Unicode (ICU) for C/C++ did not ensure that there is a
        '\0' character at the end of a certain temporary array,
        which allowed remote attackers to cause a denial of
        service (out-of-bounds read) or possibly have
        unspecified other impact via a call with a long
        httpAcceptLanguage argument (bsc#990636).
    
      - CVE-2017-7868: International Components for Unicode
        (ICU) for C/C++ 2017-02-13 has an out-of-bounds write
        caused by a heap-based buffer overflow related to the
        utf8TextAccess function in common/utext.cpp and the
        utext_moveIndex32* function (bsc#1034674)
    
      - CVE-2017-7867: International Components for Unicode
        (ICU) for C/C++ 2017-02-13 has an out-of-bounds write
        caused by a heap-based buffer overflow related to the
        utf8TextAccess function in common/utext.cpp and the
        utext_setNativeIndex* function (bsc#1034678)
    
      - CVE-2017-14952: Double free in i18n/zonemeta.cpp in
        International Components for Unicode (ICU) for C/C++
        allowed remote attackers to execute arbitrary code via a
        crafted string, aka a 'redundant UVector entry clean up
        function call' issue (bnc#1067203)
    
      - CVE-2017-17484: The ucnv_UTF8FromUTF8 function in
        ucnv_u8.cpp in International Components for Unicode
        (ICU) for C/C++ mishandled ucnv_convertEx calls for
        UTF-8 to UTF-8 conversion, which allowed remote
        attackers to cause a denial of service (stack-based
        buffer overflow and application crash) or possibly have
        unspecified other impact via a crafted string, as
        demonstrated by ZNC (bnc#1072193)
    
      - CVE-2017-15422: An integer overflow in icu during
        persian calendar date processing could lead to incorrect
        years shown (bnc#1077999)
    
    This update was imported from the SUSE:SLE-12:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034674"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034678"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1067203"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1072193"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1077999"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1087932"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=929629"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=990636"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected icu packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icu-data");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icu-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icu-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu52_1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu52_1-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu52_1-data");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu52_1-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libicu52_1-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/25");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"icu-52.1-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"icu-data-52.1-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"icu-debuginfo-52.1-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"icu-debugsource-52.1-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libicu-devel-52.1-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libicu52_1-52.1-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libicu52_1-data-52.1-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libicu52_1-debuginfo-52.1-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libicu-devel-32bit-52.1-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libicu52_1-32bit-52.1-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libicu52_1-debuginfo-32bit-52.1-18.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icu / icu-data / icu-debuginfo / icu-debugsource / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2312.NASL
    descriptionAccording to the version of the icu package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.(CVE-2017-17484) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id131477
    published2019-12-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131477
    titleEulerOS Virtualization for ARM 64 3.0.3.0 : icu (EulerOS-SA-2019-2312)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131477);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/10");
    
      script_cve_id(
        "CVE-2017-17484"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.3.0 : icu (EulerOS-SA-2019-2312)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the icu package installed, the EulerOS
    Virtualization for ARM 64 installation on the remote host is affected
    by the following vulnerability :
    
      - The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in
        International Components for Unicode (ICU) for C/C++
        through 60.1 mishandles ucnv_convertEx calls for UTF-8
        to UTF-8 conversion, which allows remote attackers to
        cause a denial of service (stack-based buffer overflow
        and application crash) or possibly have unspecified
        other impact via a crafted string, as demonstrated by
        ZNC.(CVE-2017-17484)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2312
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?04322c61");
      script_set_attribute(attribute:"solution", value:
    "Update the affected icu package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/03");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libicu");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.3.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.3.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.3.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["libicu-62.1-2.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icu");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1602-1.NASL
    descriptionThis update for icu fixes the following issues : - CVE-2016-6293: The uloc_acceptLanguageFromHTTP function in common/uloc.cpp did not ensure that there is a
    last seen2020-06-01
    modified2020-06-02
    plugin id110443
    published2018-06-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110443
    titleSUSE SLES11 Security Update : icu (SUSE-SU-2018:1602-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1401-1.NASL
    descriptionicu was updated to fix two security issues. These security issues were fixed : - CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) used an integer data type that is inconsistent with a header file, which allowed remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text (bsc#929629). - CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) did not properly track directionally isolated pieces of text, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text (bsc#929629). - CVE-2016-6293: The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) for C/C++ did not ensure that there is a
    last seen2020-06-01
    modified2020-06-02
    plugin id110093
    published2018-05-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110093
    titleSUSE SLED12 / SLES12 Security Update : icu (SUSE-SU-2018:1401-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1401-2.NASL
    descriptionicu was updated to fix two security issues. These security issues were fixed : CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) used an integer data type that is inconsistent with a header file, which allowed remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text (bsc#929629). CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) did not properly track directionally isolated pieces of text, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text (bsc#929629). CVE-2016-6293: The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) for C/C++ did not ensure that there is a
    last seen2020-06-01
    modified2020-06-02
    plugin id118258
    published2018-10-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118258
    titleSUSE SLES12 Security Update : icu (SUSE-SU-2018:1401-2)