Vulnerabilities > CVE-2017-9468 - NULL Pointer Dereference vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
In Irssi before 1.0.3, when receiving a DCC message without source nick/host, it attempts to dereference a NULL pointer. Thus, remote IRC servers can cause a crash.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2017-2F30E218E7.NASL description This is an security fix for CVE-2017-9468, CVE-2017-9469. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-17 plugin id 101601 published 2017-07-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101601 title Fedora 26 : irssi (2017-2f30e218e7) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-2f30e218e7. # include("compat.inc"); if (description) { script_id(101601); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-9468", "CVE-2017-9469"); script_xref(name:"FEDORA", value:"2017-2f30e218e7"); script_name(english:"Fedora 26 : irssi (2017-2f30e218e7)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This is an security fix for CVE-2017-9468, CVE-2017-9469. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-2f30e218e7" ); script_set_attribute(attribute:"solution", value:"Update the affected irssi package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:irssi"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2017/07/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC26", reference:"irssi-1.0.3-1.fc26")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "irssi"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1971.NASL description According to the versions of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The nickcmp function in Irssi before 0.8.21 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a message without a nick.(CVE-2017-5193) - Use-after-free vulnerability in Irssi before 0.8.21 allows remote attackers to cause a denial of service (crash) via an invalid nick message.(CVE-2017-5194) - Irssi before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a string containing a formatting sequence (%[) without a closing bracket (]).(CVE-2017-5356) - In Irssi before 1.0.3, when receiving a DCC message without source nick/host, it attempts to dereference a NULL pointer. Thus, remote IRC servers can cause a crash.(CVE-2017-9468) - In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC files, it tries to find the terminating quote one byte before the allocated memory. Thus, remote attackers might be able to cause a crash.(CVE-2017-9469) - An issue was discovered in Irssi before 1.0.4. When receiving messages with invalid time stamps, Irssi would try to dereference a NULL pointer.(CVE-2017-10965) - An issue was discovered in Irssi before 1.0.4. While updating the internal nick list, Irssi could incorrectly use the GHashTable interface and free the nick while updating it. This would then result in use-after-free conditions on each access of the hash table.(CVE-2017-10966) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-09-23 plugin id 129128 published 2019-09-23 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129128 title EulerOS 2.0 SP5 : irssi (EulerOS-SA-2019-1971) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3885.NASL description Multiple vulnerabilities have been discovered in Irssi, a terminal based IRC client. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2017-9468 Joseph Bisch discovered that Irssi does not properly handle DCC messages without source nick/host. A malicious IRC server can take advantage of this flaw to cause Irssi to crash, resulting in a denial of service. - CVE-2017-9469 Joseph Bisch discovered that Irssi does not properly handle receiving incorrectly quoted DCC files. A remote attacker can take advantage of this flaw to cause Irssi to crash, resulting in a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 100853 published 2017-06-19 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100853 title Debian DSA-3885-1 : irssi - security update NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_165E89514BE011E7A5390050569F7E80.NASL description Joseph Bisch reports : When receiving a DCC message without source nick/host, Irssi would attempt to dereference a NULL pointer. When receiving certain incorrectly quoted DCC files, Irssi would try to find the terminating quote one byte before the allocated memory. last seen 2020-06-01 modified 2020-06-02 plugin id 100674 published 2017-06-08 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100674 title FreeBSD : irssi -- remote DoS (165e8951-4be0-11e7-a539-0050569f7e80) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1284.NASL description According to the versions of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Irssi before 1.0.5, when installing themes with unterminated colour formatting sequences, may access data beyond the end of the string.(CVE-2017-15228) - Irssi before 1.0.5, while waiting for the channel synchronisation, may incorrectly fail to remove destroyed channels from the query list, resulting in use-after-free conditions when updating the state later on.(CVE-2017-15227) - In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages could cause a NULL pointer dereference. This is a separate, but similar, issue relative to CVE-2017-9468.(CVE-2017-15721) - In certain cases, Irssi before 1.0.5 may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string.(CVE-2017-15722) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-12-01 plugin id 104903 published 2017-12-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104903 title EulerOS 2.0 SP2 : irssi (EulerOS-SA-2017-1284) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2477.NASL description According to the versions of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In Irssi before 1.0.6, a calculation error in the completion code could cause a heap buffer overflow when completing certain strings.(CVE-2018-5208) - When using incomplete escape codes, Irssi before 1.0.6 may access data beyond the end of the string.(CVE-2018-5205) - When the channel topic is set without specifying a sender, Irssi before 1.0.6 may dereference a NULL pointer.(CVE-2018-5206) - When using an incomplete variable argument, Irssi before 1.0.6 may access data beyond the end of the string.(CVE-2018-5207) - The nickcmp function in Irssi before 0.8.21 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a message without a nick.(CVE-2017-5193) - Use-after-free vulnerability in Irssi before 0.8.21 allows remote attackers to cause a denial of service (crash) via an invalid nick message.(CVE-2017-5194) - Irssi before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a string containing a formatting sequence (%[) without a closing bracket (]).(CVE-2017-5356) - In Irssi before 1.0.3, when receiving a DCC message without source nick/host, it attempts to dereference a NULL pointer. Thus, remote IRC servers can cause a crash.(CVE-2017-9468) - In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC files, it tries to find the terminating quote one byte before the allocated memory. Thus, remote attackers might be able to cause a crash.(CVE-2017-9469) - An issue was discovered in Irssi before 1.0.4. When receiving messages with invalid time stamps, Irssi would try to dereference a NULL pointer.(CVE-2017-10965) - An issue was discovered in Irssi before 1.0.4. While updating the internal nick list, Irssi could incorrectly use the GHashTable interface and free the nick while updating it. This would then result in use-after-free conditions on each access of the hash table.(CVE-2017-10966) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-12-04 plugin id 131630 published 2019-12-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131630 title EulerOS 2.0 SP2 : irssi (EulerOS-SA-2019-2477) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3317-1.NASL description It was discovered that Irssi incorrectly handled certain DCC messages. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-9468) Joseph Bisch discovered that Irssi incorrectly handled receiving incorrectly quoted DCC files. A remote attacker could possibly use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-9469). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100755 published 2017-06-13 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100755 title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : irssi vulnerabilities (USN-3317-1) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2017-158-01.NASL description New irssi packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100703 published 2017-06-09 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100703 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : irssi (SSA:2017-158-01) NASL family Fedora Local Security Checks NASL id FEDORA_2017-75C571778E.NASL description This is new version with security fixes for CVE-2017-9468, CVE-2017-9469. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-10 plugin id 101327 published 2017-07-10 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101327 title Fedora 25 : irssi (2017-75c571778e) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2595.NASL description According to the versions of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in Irssi before 1.0.4. When receiving messages with invalid time stamps, Irssi would try to dereference a NULL pointer.(CVE-2017-10965) - An issue was discovered in Irssi before 1.0.4. While updating the internal nick list, Irssi could incorrectly use the GHashTable interface and free the nick while updating it. This would then result in use-after-free conditions on each access of the hash table.(CVE-2017-10966) - In Irssi before 1.0.3, when receiving a DCC message without source nick/host, it attempts to dereference a NULL pointer. Thus, remote IRC servers can cause a crash.(CVE-2017-9468) - In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC files, it tries to find the terminating quote one byte before the allocated memory. Thus, remote attackers might be able to cause a crash.(CVE-2017-9469) - In Irssi before 1.0.6, a calculation error in the completion code could cause a heap buffer overflow when completing certain strings.(CVE-2018-5208) - Irssi before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a string containing a formatting sequence (%[) without a closing bracket (]).(CVE-2017-5356) - The nickcmp function in Irssi before 0.8.21 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a message without a nick.(CVE-2017-5193) - Use-after-free vulnerability in Irssi before 0.8.21 allows remote attackers to cause a denial of service (crash) via an invalid nick message.(CVE-2017-5194) - When the channel topic is set without specifying a sender, Irssi before 1.0.6 may dereference a NULL pointer.(CVE-2018-5206) - When using an incomplete variable argument, Irssi before 1.0.6 may access data beyond the end of the string.(CVE-2018-5207) - When using incomplete escape codes, Irssi before 1.0.6 may access data beyond the end of the string.(CVE-2018-5205) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-12-18 plugin id 132130 published 2019-12-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132130 title EulerOS 2.0 SP3 : irssi (EulerOS-SA-2019-2595) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1088.NASL description Irssi has some issues where remote attackers might be able to cause a crash. CVE-2017-9468 In irssi, when receiving a DCC message without source nick/host, it attempts to dereference a NULL pointer. CVE-2017-9469 In irssi, when receiving certain incorrectly quoted DCC files, it tries to find the terminating quote one byte before the allocated memory. For Debian 7 last seen 2020-03-17 modified 2017-09-05 plugin id 102926 published 2017-09-05 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102926 title Debian DLA-1088-1 : irssi security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-668.NASL description This update to irssi 1.0.3 fixes the following vulnerabilities : - CVE-2017-9469: irssi: dcc crash with incorrect quoting (bsc#1043052) - CVE-2017-9468: irssi: dcc message crash without nick/host (bsc#1043051) last seen 2020-06-05 modified 2017-06-09 plugin id 100713 published 2017-06-09 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100713 title openSUSE Security Update : irssi (openSUSE-2017-668) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1283.NASL description According to the versions of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Irssi before 1.0.5, when installing themes with unterminated colour formatting sequences, may access data beyond the end of the string.(CVE-2017-15228) - Irssi before 1.0.5, while waiting for the channel synchronisation, may incorrectly fail to remove destroyed channels from the query list, resulting in use-after-free conditions when updating the state later on.(CVE-2017-15227) - In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages could cause a NULL pointer dereference. This is a separate, but similar, issue relative to CVE-2017-9468.(CVE-2017-15721) - In certain cases, Irssi before 1.0.5 may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string.(CVE-2017-15722) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-12-01 plugin id 104902 published 2017-12-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104902 title EulerOS 2.0 SP1 : irssi (EulerOS-SA-2017-1283)