Details of VAR-201307-0483

ID

VAR-201307-0483

CVE

CVE-2013-2028

TITLE

nginx of http/ngx_http_parse.c Service disruption in (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2013-003473

DESCRIPTION

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow. nginx is prone to a stack-based buffer-overflow vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition. The issue is fixed in nginx 1.4.1 and 1.5.0. nginx is a lightweight web server/reverse proxy server and email (IMAP/POP3) proxy server developed by Russian programmer Igor Sysoev. A denial of service vulnerability exists in the 'ngx_http_parse_chunked' function in http/ngx_http_parse.c in nginx versions 1.3.9 to 1.4.0. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201310-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: nginx: Multiple vulnerabilities Date: October 06, 2013 Bugs: #458726, #468870 ID: 201310-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in nginx, the worst of which may allow execution of arbitrary code. Background ========== nginx is a robust, small, and high performance HTTP and reverse proxy server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/nginx < 1.4.1-r2 >= 1.4.1-r2 Description =========== Multiple vulnerabilities have been discovered in nginx. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could send a specially crafted request, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Furthermore, a context-dependent attacker may be able to obtain sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.4.1-r2" References ========== [ 1 ] CVE-2013-0337 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0337 [ 2 ] CVE-2013-2028 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2028 [ 3 ] CVE-2013-2070 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2070 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201310-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . From: Maxim Dounin mdounin at mdounin.ru Tue May 7 11:30:26 UTC 2013 Hello! Greg MacManus, of iSIGHT Partners Labs, found a security problem in several recent versions of nginx. Patch for the problem can be found here: http://nginx.org/download/patch.2013.chunked.txt As a temporary workaround the following configuration can be used in each server{} block: if ($http_transfer_encoding ~* chunked) { return 444; } -- Maxim Dounin http://nginx.org/en/donation.html

Trust: 2.25

sources: NVD: CVE-2013-2028 // JVNDB: JVNDB-2013-003473 // BID: 59699 // VULHUB: VHN-62030 // VULMON: CVE-2013-2028 // PACKETSTORM: 123516 // PACKETSTORM: 121560

AFFECTED PRODUCTS

vendor:	f5	model:	nginx	scope:	lte	version:	1.4.0	Trust: 1.0
vendor:	f5	model:	nginx	scope:	gte	version:	1.3.9	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	19	Trust: 1.0
vendor:	igor sysoev	model:	nginx	scope:	eq	version:	1.3.9 to 1.4.0	Trust: 0.8
vendor:	nginx	model:	nginx	scope:	eq	version:	1.3.9	Trust: 0.6
vendor:	igor sysoev	model:	nginx	scope:	eq	version:	1.3.9	Trust: 0.6
vendor:	igor sysoev	model:	nginx	scope:	eq	version:	1.4.0	Trust: 0.6
vendor:	nginx	model:	nginx	scope:	eq	version:	1.4.0	Trust: 0.6
vendor:	igor	model:	sysoev nginx	scope:	eq	version:	1.4.4	Trust: 0.3
vendor:	igor	model:	sysoev nginx	scope:	eq	version:	1.3.9	Trust: 0.3
vendor:	gentoo	model:	linux	scope:	-	version:	-	Trust: 0.3
vendor:	igor	model:	sysoev nginx	scope:	ne	version:	1.5.7	Trust: 0.3
vendor:	igor	model:	sysoev nginx	scope:	ne	version:	1.4.1	Trust: 0.3

sources: BID: 59699 // JVNDB: JVNDB-2013-003473 // CNNVD: CNNVD-201305-143 // NVD: CVE-2013-2028

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-2028
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-2028
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201305-143
value:	HIGH
Trust: 0.6
VULHUB:	VHN-62030
value:	HIGH
Trust: 0.1
VULMON:	CVE-2013-2028
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-2028
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-62030
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-62030 // VULMON: CVE-2013-2028 // JVNDB: JVNDB-2013-003473 // CNNVD: CNNVD-201305-143 // NVD: CVE-2013-2028

PROBLEMTYPE DATA

problemtype:	CWE-787	Trust: 1.1
problemtype:	CWE-189	Trust: 0.9

sources: VULHUB: VHN-62030 // JVNDB: JVNDB-2013-003473 // NVD: CVE-2013-2028

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201305-143

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201305-143

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003473

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-62030 // VULMON: CVE-2013-2028

PATCH

title:	GLSA 201310-04	url:	http://www.gentoo.org/security/en/glsa/glsa-201310-04.xml	Trust: 0.8
title:	Top Page	url:	http://nginx.org/ja/	Trust: 0.8
title:	CVE-2013-2028	url:	http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html	Trust: 0.8
title:	nginx 'ngx_http_parse.c' Repair measures for stack buffer error vulnerability	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=134168	Trust: 0.6
title:	nginxpwn	url:	https://github.com/kitctf/nginxpwn	Trust: 0.1
title:	hack4career	url:	https://github.com/mertsarica/hack4career	Trust: 0.1
title:	docker-cve-2013-2028	url:	https://github.com/mambroziak/docker-cve-2013-2028	Trust: 0.1
title:	nginx-1.4.0	url:	https://github.com/danghvu/nginx-1.4.0	Trust: 0.1
title:	zeus-software-security	url:	https://github.com/alexgeunholee/zeus-software-security	Trust: 0.1
title:	nginxhack	url:	https://github.com/jptr218/nginxhack	Trust: 0.1
title:	non-controlflow-hijacking-datasets	url:	https://github.com/camel-clarkson/non-controlflow-hijacking-datasets	Trust: 0.1
title:	exploit-development-case-studies	url:	https://github.com/dyjakan/exploit-development-case-studies	Trust: 0.1
title:	LinuxFlaw	url:	https://github.com/mudongliang/LinuxFlaw	Trust: 0.1

sources: VULMON: CVE-2013-2028 // JVNDB: JVNDB-2013-003473 // CNNVD: CNNVD-201305-143

EXTERNAL IDS

db:	NVD	id:	CVE-2013-2028	Trust: 3.1
db:	BID	id:	59699	Trust: 2.1
db:	PACKETSTORM	id:	121675	Trust: 1.8
db:	SECUNIA	id:	55181	Trust: 1.8
db:	OSVDB	id:	93037	Trust: 1.8
db:	JVNDB	id:	JVNDB-2013-003473	Trust: 0.8
db:	CNNVD	id:	CNNVD-201305-143	Trust: 0.7
db:	PACKETSTORM	id:	121560	Trust: 0.2
db:	EXPLOIT-DB	id:	25499	Trust: 0.2
db:	PACKETSTORM	id:	125758	Trust: 0.1
db:	PACKETSTORM	id:	121712	Trust: 0.1
db:	PACKETSTORM	id:	122477	Trust: 0.1
db:	EXPLOIT-DB	id:	26737	Trust: 0.1
db:	EXPLOIT-DB	id:	25775	Trust: 0.1
db:	EXPLOIT-DB	id:	32277	Trust: 0.1
db:	SEEBUG	id:	SSVID-85572	Trust: 0.1
db:	SEEBUG	id:	SSVID-79430	Trust: 0.1
db:	SEEBUG	id:	SSVID-79160	Trust: 0.1
db:	SEEBUG	id:	SSVID-80363	Trust: 0.1
db:	VULHUB	id:	VHN-62030	Trust: 0.1
db:	VULMON	id:	CVE-2013-2028	Trust: 0.1
db:	PACKETSTORM	id:	123516	Trust: 0.1

sources: VULHUB: VHN-62030 // VULMON: CVE-2013-2028 // BID: 59699 // JVNDB: JVNDB-2013-003473 // PACKETSTORM: 123516 // PACKETSTORM: 121560 // CNNVD: CNNVD-201305-143 // NVD: CVE-2013-2028

REFERENCES

url:	http://www.securityfocus.com/bid/59699	Trust: 1.9
url:	http://security.gentoo.org/glsa/glsa-201310-04.xml	Trust: 1.9
url:	http://nginx.org/download/patch.2013.chunked.txt	Trust: 1.9
url:	http://lists.fedoraproject.org/pipermail/package-announce/2013-may/105176.html	Trust: 1.8
url:	http://packetstormsecurity.com/files/121675/nginx-1.3.9-1.4.0-denial-of-service.html	Trust: 1.8
url:	http://www.vnsecurity.net/2013/05/analysis-of-nginx-cve-2013-2028/	Trust: 1.8
url:	https://github.com/rapid7/metasploit-framework/pull/1834	Trust: 1.8
url:	http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html	Trust: 1.8
url:	http://www.osvdb.org/93037	Trust: 1.8
url:	http://secunia.com/advisories/55181	Trust: 1.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-2028	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-2028	Trust: 0.8
url:	http://nginx.org/	Trust: 0.3
url:	http://int3pids.blogspot.com.es/2013/07/nginx-reliable-explotation-through.html	Trust: 0.3
url:	http://seclists.org/oss-sec/2013/q2/290	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2028	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/787.html	Trust: 0.1
url:	https://github.com/kitctf/nginxpwn	Trust: 0.1
url:	https://www.exploit-db.com/exploits/25499/	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2070	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-0337	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-0337	Trust: 0.1
url:	http://security.gentoo.org/	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-2028	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-2070	Trust: 0.1
url:	http://nginx.org/en/donation.html	Trust: 0.1

CREDITS

Greg MacManus of iSIGHT Partners Labs

Trust: 0.9

sources: BID: 59699 // CNNVD: CNNVD-201305-143

SOURCES

db:	VULHUB	id:	VHN-62030
db:	VULMON	id:	CVE-2013-2028
db:	BID	id:	59699
db:	JVNDB	id:	JVNDB-2013-003473
db:	PACKETSTORM	id:	123516
db:	PACKETSTORM	id:	121560
db:	CNNVD	id:	CNNVD-201305-143
db:	NVD	id:	CVE-2013-2028

LAST UPDATE DATE

2024-08-14T12:12:49.260000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-62030	date:	2021-11-10T00:00:00
db:	VULMON	id:	CVE-2013-2028	date:	2021-11-10T00:00:00
db:	BID	id:	59699	date:	2015-04-13T21:40:00
db:	JVNDB	id:	JVNDB-2013-003473	date:	2013-11-12T00:00:00
db:	CNNVD	id:	CNNVD-201305-143	date:	2023-05-15T00:00:00
db:	NVD	id:	CVE-2013-2028	date:	2021-11-10T15:59:33.553

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-62030	date:	2013-07-20T00:00:00
db:	VULMON	id:	CVE-2013-2028	date:	2013-07-20T00:00:00
db:	BID	id:	59699	date:	2013-05-07T00:00:00
db:	JVNDB	id:	JVNDB-2013-003473	date:	2013-07-23T00:00:00
db:	PACKETSTORM	id:	123516	date:	2013-10-07T22:29:42
db:	PACKETSTORM	id:	121560	date:	2013-05-08T02:43:02
db:	CNNVD	id:	CNNVD-201305-143	date:	2013-05-14T00:00:00
db:	NVD	id:	CVE-2013-2028	date:	2013-07-20T03:37:20.730