Vulnerabilities > CVE-2017-5194 - Use After Free vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
irssi
debian
CWE-416
nessus

Summary

Use-after-free vulnerability in Irssi before 0.8.21 allows remote attackers to cause a denial of service (crash) via an invalid nick message.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-45.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-45 (irssi: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in irssi. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96642
    published2017-01-20
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96642
    titleGLSA-201701-45 : irssi: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201701-45.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96642);
      script_version("$Revision: 3.3 $");
      script_cvs_date("$Date: 2017/03/13 15:28:56 $");
    
      script_cve_id("CVE-2017-5193", "CVE-2017-5194", "CVE-2017-5195", "CVE-2017-5196");
      script_xref(name:"GLSA", value:"201701-45");
    
      script_name(english:"GLSA-201701-45 : irssi: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201701-45
    (irssi: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in irssi. Please review
          the CVE identifiers referenced below for details.
      
    Impact :
    
        A remote attacker could possibly execute arbitrary code with the
          privileges of the process or cause a Denial of Service condition.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201701-45"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All irssi users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=net-irc/irssi-0.8.21'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:irssi");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/20");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-irc/irssi", unaffected:make_list("ge 0.8.21"), vulnerable:make_list("lt 0.8.21"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "irssi");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1971.NASL
    descriptionAccording to the versions of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The nickcmp function in Irssi before 0.8.21 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a message without a nick.(CVE-2017-5193) - Use-after-free vulnerability in Irssi before 0.8.21 allows remote attackers to cause a denial of service (crash) via an invalid nick message.(CVE-2017-5194) - Irssi before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a string containing a formatting sequence (%[) without a closing bracket (]).(CVE-2017-5356) - In Irssi before 1.0.3, when receiving a DCC message without source nick/host, it attempts to dereference a NULL pointer. Thus, remote IRC servers can cause a crash.(CVE-2017-9468) - In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC files, it tries to find the terminating quote one byte before the allocated memory. Thus, remote attackers might be able to cause a crash.(CVE-2017-9469) - An issue was discovered in Irssi before 1.0.4. When receiving messages with invalid time stamps, Irssi would try to dereference a NULL pointer.(CVE-2017-10965) - An issue was discovered in Irssi before 1.0.4. While updating the internal nick list, Irssi could incorrectly use the GHashTable interface and free the nick while updating it. This would then result in use-after-free conditions on each access of the hash table.(CVE-2017-10966) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-09-23
    plugin id129128
    published2019-09-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129128
    titleEulerOS 2.0 SP5 : irssi (EulerOS-SA-2019-1971)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1217.NASL
    descriptionMultiple vulnerabilities have been discovered in Irssi, a terminal based IRC client, which may lead to denial of service or other unspecified impact. For Debian 7
    last seen2020-03-17
    modified2017-12-26
    plugin id105424
    published2017-12-26
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105424
    titleDebian DLA-1217-1 : irssi security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-7F9E997585.NASL
    descriptionThis is an security update fixing CVE-2017-5193, CVE-2017-5194, CVE-2017-5195, CVE-2017-5196, CVE-2017-5356. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-01-31
    plugin id96893
    published2017-01-31
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96893
    titleFedora 25 : irssi (2017-7f9e997585)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-67.NASL
    descriptionirssi was updated to fix four vulnerabilities that could result in denial of service (remote crash) when connecting to malicious servers or receiving specially crafted data. (boo#1018357) - CVE-2017-5193: NULL pointer dereference in the nickcmp function - CVE-2017-5194: out of bounds read in certain incomplete control codes - CVE-2017-5195: out of bounds read in certain incomplete character sequences - CVE-2017-5196: Correct an error when receiving invalid nick message
    last seen2020-06-05
    modified2017-01-10
    plugin id96385
    published2017-01-10
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96385
    titleopenSUSE Security Update : irssi (openSUSE-2017-67)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2477.NASL
    descriptionAccording to the versions of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In Irssi before 1.0.6, a calculation error in the completion code could cause a heap buffer overflow when completing certain strings.(CVE-2018-5208) - When using incomplete escape codes, Irssi before 1.0.6 may access data beyond the end of the string.(CVE-2018-5205) - When the channel topic is set without specifying a sender, Irssi before 1.0.6 may dereference a NULL pointer.(CVE-2018-5206) - When using an incomplete variable argument, Irssi before 1.0.6 may access data beyond the end of the string.(CVE-2018-5207) - The nickcmp function in Irssi before 0.8.21 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a message without a nick.(CVE-2017-5193) - Use-after-free vulnerability in Irssi before 0.8.21 allows remote attackers to cause a denial of service (crash) via an invalid nick message.(CVE-2017-5194) - Irssi before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a string containing a formatting sequence (%[) without a closing bracket (]).(CVE-2017-5356) - In Irssi before 1.0.3, when receiving a DCC message without source nick/host, it attempts to dereference a NULL pointer. Thus, remote IRC servers can cause a crash.(CVE-2017-9468) - In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC files, it tries to find the terminating quote one byte before the allocated memory. Thus, remote attackers might be able to cause a crash.(CVE-2017-9469) - An issue was discovered in Irssi before 1.0.4. When receiving messages with invalid time stamps, Irssi would try to dereference a NULL pointer.(CVE-2017-10965) - An issue was discovered in Irssi before 1.0.4. While updating the internal nick list, Irssi could incorrectly use the GHashTable interface and free the nick while updating it. This would then result in use-after-free conditions on each access of the hash table.(CVE-2017-10966) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-12-04
    plugin id131630
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131630
    titleEulerOS 2.0 SP2 : irssi (EulerOS-SA-2019-2477)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2017-011-03.NASL
    descriptionNew irssi packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id96409
    published2017-01-12
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96409
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : irssi (SSA:2017-011-03)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_3D6BE69BD36511E6A071001E67F15F5A.NASL
    descriptionIrssi reports : Five vulnerabilities have been located in Irssi - A NULL pointer dereference in the nickcmp function found by Joseph Bisch. (CWE-690) - Use after free when receiving invalid nick message (Issue #466, CWE-146) - Out of bounds read in certain incomplete control codes found by Joseph Bisch. (CWE-126) - Out of bounds read in certain incomplete character sequences found by Hanno Bock and independently by J. Bisch. (CWE-126) - Out of bounds read when Printing the value
    last seen2020-06-01
    modified2020-06-02
    plugin id96322
    published2017-01-06
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96322
    titleFreeBSD : Irssi -- multiple vulnerabilities (3d6be69b-d365-11e6-a071-001e67f15f5a)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2595.NASL
    descriptionAccording to the versions of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in Irssi before 1.0.4. When receiving messages with invalid time stamps, Irssi would try to dereference a NULL pointer.(CVE-2017-10965) - An issue was discovered in Irssi before 1.0.4. While updating the internal nick list, Irssi could incorrectly use the GHashTable interface and free the nick while updating it. This would then result in use-after-free conditions on each access of the hash table.(CVE-2017-10966) - In Irssi before 1.0.3, when receiving a DCC message without source nick/host, it attempts to dereference a NULL pointer. Thus, remote IRC servers can cause a crash.(CVE-2017-9468) - In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC files, it tries to find the terminating quote one byte before the allocated memory. Thus, remote attackers might be able to cause a crash.(CVE-2017-9469) - In Irssi before 1.0.6, a calculation error in the completion code could cause a heap buffer overflow when completing certain strings.(CVE-2018-5208) - Irssi before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a string containing a formatting sequence (%[) without a closing bracket (]).(CVE-2017-5356) - The nickcmp function in Irssi before 0.8.21 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a message without a nick.(CVE-2017-5193) - Use-after-free vulnerability in Irssi before 0.8.21 allows remote attackers to cause a denial of service (crash) via an invalid nick message.(CVE-2017-5194) - When the channel topic is set without specifying a sender, Irssi before 1.0.6 may dereference a NULL pointer.(CVE-2018-5206) - When using an incomplete variable argument, Irssi before 1.0.6 may access data beyond the end of the string.(CVE-2018-5207) - When using incomplete escape codes, Irssi before 1.0.6 may access data beyond the end of the string.(CVE-2018-5205) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-12-18
    plugin id132130
    published2019-12-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132130
    titleEulerOS 2.0 SP3 : irssi (EulerOS-SA-2019-2595)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3184-1.NASL
    descriptionIt was discovered that the Irssi buf.pl script set incorrect permissions. A local attacker could use this issue to retrieve another user
    last seen2020-06-01
    modified2020-06-02
    plugin id96953
    published2017-02-02
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96953
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : irssi vulnerabilities (USN-3184-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-D2E7217E2A.NASL
    descriptionThis is an security update fixing CVE-2017-5193, CVE-2017-5194, CVE-2017-5195, CVE-2017-5196, CVE-2017-5356. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-01-31
    plugin id96898
    published2017-01-31
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96898
    titleFedora 24 : irssi (2017-d2e7217e2a)