Vulnerabilities > CVE-2018-7053 - Use After Free vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
irssi
debian
canonical
CWE-416
critical
nessus

Summary

An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. There is a use-after-free when SASL messages are received in an unexpected order.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-433D2DC3C7.NASL
    descriptionThis is new version fixing multiple vulnerabilities: CVE-2018-7050, CVE-2018-7051, CVE-2018-7052, CVE-2018-7053, CVE-2018-7054. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-02-27
    plugin id107008
    published2018-02-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107008
    titleFedora 27 : irssi (2018-433d2dc3c7)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-433d2dc3c7.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(107008);
      script_version("3.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-7050", "CVE-2018-7051", "CVE-2018-7052", "CVE-2018-7053", "CVE-2018-7054");
      script_xref(name:"FEDORA", value:"2018-433d2dc3c7");
    
      script_name(english:"Fedora 27 : irssi (2018-433d2dc3c7)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This is new version fixing multiple vulnerabilities: CVE-2018-7050,
    CVE-2018-7051, CVE-2018-7052, CVE-2018-7053, CVE-2018-7054.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-433d2dc3c7"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected irssi package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:irssi");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC27", reference:"irssi-1.0.7-1.fc27")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "irssi");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-171.NASL
    descriptionThis update for irssi fixes the following security issues : - CVE-2018-7054: Use after free when server is disconnected during netsplits - CVE-2018-7053: Use after free when SASL messages are received in unexpected order - CVE-2018-7050: NULL pointer dereference when an
    last seen2020-06-05
    modified2018-02-20
    plugin id106889
    published2018-02-20
    reporterThis script is Copyright (C) 2018-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106889
    titleopenSUSE Security Update : irssi (openSUSE-2018-171)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-171.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106889);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-7050", "CVE-2018-7051", "CVE-2018-7052", "CVE-2018-7053", "CVE-2018-7054");
    
      script_name(english:"openSUSE Security Update : irssi (openSUSE-2018-171)");
      script_summary(english:"Check for the openSUSE-2018-171 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for irssi fixes the following security issues :
    
      - CVE-2018-7054: Use after free when server is
        disconnected during netsplits
    
      - CVE-2018-7053: Use after free when SASL messages are
        received in unexpected order
    
      - CVE-2018-7050: NULL pointer dereference when an 'empty'
        nick has been observed
    
      - CVE-2018-7052: When the number of windows exceed the
        available space, Irssi would crash due to NULL pointer
        dereference
    
      - CVE-2018-7051: Certain nick names could result in out of
        bounds access when printing theme strings"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1081238"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected irssi packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:irssi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:irssi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:irssi-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:irssi-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/20");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"irssi-1.0.7-25.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"irssi-debuginfo-1.0.7-25.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"irssi-debugsource-1.0.7-25.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"irssi-devel-1.0.7-25.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "irssi / irssi-debuginfo / irssi-debugsource / irssi-devel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4162.NASL
    descriptionMultiple vulnerabilities have been discovered in Irssi, a terminal-based IRC client which can result in denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id108774
    published2018-04-02
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108774
    titleDebian DSA-4162-1 : irssi - security update
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_7AFC5E56156D11E895F2005056925DB4.NASL
    descriptionIrssi reports : Use after free when server is disconnected during netsplits. Found by Joseph Bisch. Use after free when SASL messages are received in unexpected order. Found by Joseph Bisch. NULL pointer dereference when an
    last seen2020-06-01
    modified2020-06-02
    plugin id106881
    published2018-02-20
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106881
    titleFreeBSD : irssi -- multiple vulnerabilities (7afc5e56-156d-11e8-95f2-005056925db4)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-CBC52E8812.NASL
    descriptionThis is new version fixing multiple vulnerabilities: CVE-2018-7050, CVE-2018-7051, CVE-2018-7052, CVE-2018-7053, CVE-2018-7054. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-02-27
    plugin id107013
    published2018-02-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107013
    titleFedora 26 : irssi (2018-cbc52e8812)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2018-046-01.NASL
    descriptionNew irssi packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106850
    published2018-02-16
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106850
    titleSlackware 14.0 / 14.1 / 14.2 / current : irssi (SSA:2018-046-01)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2019-011-01.NASL
    descriptionNew irssi packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-03-17
    modified2019-01-14
    plugin id121144
    published2019-01-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121144
    titleSlackware 14.0 / 14.1 / 14.2 / current : irssi (SSA:2019-011-01)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3590-1.NASL
    descriptionIt was discovered that Irssi incorrectly handled certain empty nick names. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-7050) It was discovered that Irssi incorrectly handled certain nick names. An attacker could possibly use this to access sensitive information. (CVE-2018-7051) It was discovered that Irssi incorrectly handled an increase in the number of windows. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-7052) It was discovered that Irssi incorrectly handled certain messages. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-7053) It was discovered that Irssi incorrectly handled certain disconnections. An attacker could possibly use this to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 17.10. (CVE-2018-7054). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id107193
    published2018-03-07
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107193
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.10 : irssi vulnerabilities (USN-3590-1)