Vulnerabilities > CVE-2019-18609 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered in amqp_handle_input in amqp_connection.c in rabbitmq-c 0.9.0. There is an integer overflow that leads to heap memory corruption in the handling of CONNECTION_STATE_HEADER. A rogue server could return a malicious frame header that leads to a smaller target_size value than needed. This condition is then carried on to a memcpy function that copies too much data into a heap buffer.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4214-2.NASL description USN-4214-1 fixed a vulnerability in RabbitMQ. This update provides the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details : It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 132012 published 2019-12-12 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132012 title Ubuntu 16.04 LTS / 18.04 LTS : librabbitmq vulnerability (USN-4214-2) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4214-1.NASL description It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131761 published 2019-12-06 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131761 title Ubuntu 19.04 / 19.10 : librabbitmq vulnerability (USN-4214-1) NASL family Fedora Local Security Checks NASL id FEDORA_2019-8730B65158.NASL description **Added:** - amqp_ssl_socket_get_context can be used to get the current OpenSSL CTX* associated with a connection. **Changed:** - openssl: missing OpenSSL config is ignored as an OpenSSL init error (#523) - AMQP_DEFAULT_MAX_CHANNELS is now set to 2047 to follow current default channel limit in the RabbitMQ broker. (#513) **Fixed:** - add additional input validation to prevent integer overflow when parsing a frame header. This addresses **CVE-2019-18609**. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131841 published 2019-12-10 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131841 title Fedora 31 : librabbitmq (2019-8730b65158) NASL family Fedora Local Security Checks NASL id FEDORA_2019-DD7C8F5435.NASL description **Added:** - amqp_ssl_socket_get_context can be used to get the current OpenSSL CTX* associated with a connection. **Changed:** - openssl: missing OpenSSL config is ignored as an OpenSSL init error (#523) - AMQP_DEFAULT_MAX_CHANNELS is now set to 2047 to follow current default channel limit in the RabbitMQ broker. (#513) **Fixed:** - add additional input validation to prevent integer overflow when parsing a frame header. This addresses **CVE-2019-18609**. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131843 published 2019-12-10 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131843 title Fedora 30 : librabbitmq (2019-dd7c8f5435) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1163.NASL description According to the version of the librabbitmq package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - An issue was discovered in amqp_handle_input in amqp_connection.c in rabbitmq-c 0.9.0. There is an integer overflow that leads to heap memory corruption in the handling of CONNECTION_STATE_HEADER. A rogue server could return a malicious frame header that leads to a smaller target_size value than needed. This condition is then carried on to a memcpy function that copies too much data into a heap buffer.(CVE-2019-18609) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-03 modified 2020-02-25 plugin id 133997 published 2020-02-25 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133997 title EulerOS 2.0 SP8 : librabbitmq (EulerOS-SA-2020-1163) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-202003-07.NASL description The remote host is affected by the vulnerability described in GLSA-202003-07 (RabbitMQ C client: Arbitrary code execution) It was discovered that RabbitMQ C client incorrectly handled certain inputs. Impact : A remote attacker, by sending a specially crafted request, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-03-19 modified 2020-03-13 plugin id 134474 published 2020-03-13 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134474 title GLSA-202003-07 : RabbitMQ C client: Arbitrary code execution NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2022.NASL description It was discovered that there was an integer overflow vulnerability in librabbitmq, a library for robust messaging between applications and servers. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 131780 published 2019-12-09 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131780 title Debian DLA-2022-1 : librabbitmq security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1116.NASL description According to the version of the librabbitmq package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - An issue was discovered in amqp_handle_input in amqp_connection.c in rabbitmq-c 0.9.0. There is an integer overflow that leads to heap memory corruption in the handling of CONNECTION_STATE_HEADER. A rogue server could return a malicious frame header that leads to a smaller target_size value than needed. This condition is then carried on to a memcpy function that copies too much data into a heap buffer.(CVE-2019-18609) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2020-02-24 plugin id 133917 published 2020-02-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133917 title EulerOS 2.0 SP5 : librabbitmq (EulerOS-SA-2020-1116)
References
- https://github.com/alanxz/rabbitmq-c/commit/fc85be7123050b91b054e45b91c78d3241a5047a
- https://github.com/alanxz/rabbitmq-c/blob/master/ChangeLog.md
- https://news.ycombinator.com/item?id=21681976
- https://usn.ubuntu.com/4214-1/
- https://lists.debian.org/debian-lts-announce/2019/12/msg00004.html
- https://usn.ubuntu.com/4214-2/
- https://security.gentoo.org/glsa/202003-07
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WA7CPNVYMF6OQNIYNLWUY6U2GTKFOKH3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQER6XTKYMHNQR7QTHW7DJAH645WQROU/