Sign-up

ID

VAR-201812-0951


CVE

CVE-2018-20002


TITLE

GNU Binutils Resource management vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-012680

DESCRIPTION

The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm. GNU Binutils Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. GNU Binutils is prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause denial-of-service condition, denying service to legitimate users. GNU Binutils 2.31 is vulnerable; other versions may also be affected. Archive tools. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201908-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Binutils: Multiple vulnerabilities Date: August 03, 2019 Bugs: #672904, #672910, #674668, #682698, #682702 ID: 201908-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been found in Binutils, the worst of which may allow remote attackers to cause a Denial of Service condition. Background ========= The GNU Binutils are a collection of tools to create, modify and analyse binary files. Many of the files use BFD, the Binary File Descriptor library, to do low-level manipulation. Please review the referenced CVE identifiers for details. Impact ===== A remote attacker, by enticing a user to compile/execute a specially crafted ELF, object, PE, or binary file, could possibly cause a Denial of Service condition or have other unspecified impacts. Workaround ========= There is no known workaround at this time. Resolution ========= All Binutils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.32-r1" References ========= [ 1 ] CVE-2018-10372 https://nvd.nist.gov/vuln/detail/CVE-2018-10372 [ 2 ] CVE-2018-10373 https://nvd.nist.gov/vuln/detail/CVE-2018-10373 [ 3 ] CVE-2018-10534 https://nvd.nist.gov/vuln/detail/CVE-2018-10534 [ 4 ] CVE-2018-10535 https://nvd.nist.gov/vuln/detail/CVE-2018-10535 [ 5 ] CVE-2018-12641 https://nvd.nist.gov/vuln/detail/CVE-2018-12641 [ 6 ] CVE-2018-12697 https://nvd.nist.gov/vuln/detail/CVE-2018-12697 [ 7 ] CVE-2018-12698 https://nvd.nist.gov/vuln/detail/CVE-2018-12698 [ 8 ] CVE-2018-12699 https://nvd.nist.gov/vuln/detail/CVE-2018-12699 [ 9 ] CVE-2018-12700 https://nvd.nist.gov/vuln/detail/CVE-2018-12700 [ 10 ] CVE-2018-13033 https://nvd.nist.gov/vuln/detail/CVE-2018-13033 [ 11 ] CVE-2018-19931 https://nvd.nist.gov/vuln/detail/CVE-2018-19931 [ 12 ] CVE-2018-19932 https://nvd.nist.gov/vuln/detail/CVE-2018-19932 [ 13 ] CVE-2018-20002 https://nvd.nist.gov/vuln/detail/CVE-2018-20002 [ 14 ] CVE-2018-20651 https://nvd.nist.gov/vuln/detail/CVE-2018-20651 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201908-01 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 2.16

sources: NVD: CVE-2018-20002 // JVNDB: JVNDB-2018-012680 // BID: 106142 // VULHUB: VHN-130765 // VULMON: CVE-2018-20002 // PACKETSTORM: 153865

AFFECTED PRODUCTS

vendor:gnumodel:binutilsscope:eqversion:2.31

Trust: 1.9

vendor:f5model:traffix signaling delivery controllerscope:eqversion:4.4.0

Trust: 1.0

vendor:netappmodel:vasa providerscope:gteversion:7.2

Trust: 1.0

vendor:f5model:traffix signaling delivery controllerscope:lteversion:5.1.0

Trust: 1.0

vendor:f5model:traffix signaling delivery controllerscope:gteversion:5.0.0

Trust: 1.0

vendor:gnumodel:binutilsscope: - version: -

Trust: 0.8

vendor:gnumodel:binutilsscope:neversion:2.32

Trust: 0.3

sources: BID: 106142 // JVNDB: JVNDB-2018-012680 // CNNVD: CNNVD-201812-370 // NVD: CVE-2018-20002

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-20002
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-20002
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201812-370
value: MEDIUM

Trust: 0.6

VULHUB: VHN-130765
value: MEDIUM

Trust: 0.1

VULMON: CVE-2018-20002
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-20002
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-130765
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-20002
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-130765 // VULMON: CVE-2018-20002 // JVNDB: JVNDB-2018-012680 // CNNVD: CNNVD-201812-370 // NVD: CVE-2018-20002

PROBLEMTYPE DATA

problemtype:CWE-772

Trust: 1.1

problemtype:CWE-399

Trust: 0.9

sources: VULHUB: VHN-130765 // JVNDB: JVNDB-2018-012680 // NVD: CVE-2018-20002

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201812-370

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201812-370

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-012680

PATCH
title:Bug 23952url:https://sourceware.org/bugzilla/show_bug.cgi?id=23952
Trust: 0.8
title:PR23952, memory leak in _bfd_generic_read_minisymbolsurl:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c2f5dc30afa34696f2da0081c4ac50b958ecb0e9
Trust: 0.8
title:GNU Binutils Binary File Descriptor library Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=87631
Trust: 0.6
title:Red Hat: CVE-2018-20002url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2018-20002
Trust: 0.1
title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2018-20002
Trust: 0.1
title:Arch Linux Advisories: [ASA-201906-3] binutils: multiple issuesurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201906-3
Trust: 0.1
title:Ubuntu Security Notice: binutils vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4336-1
Trust: 0.1
title:IBM: Security Bulletin: IBM Cloud Pak for Security is vulnerable to using components with known vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=11f5d971f7d860c9a65bb387cd7c4b76
Trust: 0.1
title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=ec6577109e640dac19a6ddb978afe82d
Trust: 0.1
title:MemLock-Fuzzurl:https://github.com/wcventure/MemLock-Fuzz 
Trust: 0.1
title: - url:https://github.com/fuzz-evaluator/MemLock-Fuzz-eval 
Trust: 0.1
title: - url:https://github.com/vincent-deng/veracode-container-security-finding-parser 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2018-20002 // 
            
            
            
            JVNDB: JVNDB-2018-012680 // 
            
            
            
            CNNVD: CNNVD-201812-370

EXTERNAL IDS
db:NVDid:CVE-2018-20002
Trust: 3.0
db:BIDid:106142
Trust: 2.1
db:JVNDBid:JVNDB-2018-012680
Trust: 0.8
db:CNNVDid:CNNVD-201812-370
Trust: 0.7
db:PACKETSTORMid:153865
Trust: 0.7
db:AUSCERTid:ESB-2020.1400
Trust: 0.6
db:AUSCERTid:ESB-2021.2483
Trust: 0.6
db:VULHUBid:VHN-130765
Trust: 0.1
db:VULMONid:CVE-2018-20002
Trust: 0.1
sources:
            
            
            VULHUB: VHN-130765 // 
            
            
            
            VULMON: CVE-2018-20002 // 
            
            
            
            BID: 106142 // 
            
            
            
            JVNDB: JVNDB-2018-012680 // 
            
            
            
            PACKETSTORM: 153865 // 
            
            
            
            CNNVD: CNNVD-201812-370 // 
            
            
            
            NVD: CVE-2018-20002

REFERENCES
url:http://www.securityfocus.com/bid/106142
Trust: 2.5
url:https://sourceware.org/bugzilla/show_bug.cgi?id=23952
Trust: 2.1
url:https://security.gentoo.org/glsa/201908-01
Trust: 1.9
url:https://security.netapp.com/advisory/ntap-20190221-0004/
Trust: 1.8
url:https://support.f5.com/csp/article/k62602089
Trust: 1.8
url:https://usn.ubuntu.com/4336-1/
Trust: 1.3
url:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3bh=c2f5dc30afa34696f2da0081c4ac50b958ecb0e9
Trust: 1.1
url:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c2f5dc30afa34696f2da0081c4ac50b958ecb0e9
Trust: 1.0
url:https://nvd.nist.gov/vuln/detail/cve-2018-20002
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-20002
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.1400/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affect-ibm-netezza-analytics/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2021.2483
Trust: 0.6
url:https://vigilance.fr/vulnerability/gnu-binutils-multiple-vulnerabilities-32082
Trust: 0.6
url:https://www.ibm.com/support/pages/node/1143448
Trust: 0.6
url:https://packetstormsecurity.com/files/153865/gentoo-linux-security-advisory-201908-01.html
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affect-ibm-netezza-platform-software-clients/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affect-ibm-netezza-analytics-for-nps/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affect-ibm-netezza-performance-server/
Trust: 0.6
url:https://www.gnu.org/software/binutils/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/772.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://tools.cisco.com/security/center/viewalert.x?alertid=59290
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-12641
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-10535
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-10372
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-12699
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-13033
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-12698
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-12700
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-19931
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-20651
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-10373
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-12697
Trust: 0.1
url:https://creativecommons.org/licenses/by-sa/2.5
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-19932
Trust: 0.1
url:https://security.gentoo.org/
Trust: 0.1
url:https://bugs.gentoo.org.
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-10534
Trust: 0.1
sources:
            
            
            VULHUB: VHN-130765 // 
            
            
            
            VULMON: CVE-2018-20002 // 
            
            
            
            BID: 106142 // 
            
            
            
            JVNDB: JVNDB-2018-012680 // 
            
            
            
            PACKETSTORM: 153865 // 
            
            
            
            CNNVD: CNNVD-201812-370 // 
            
            
            
            NVD: CVE-2018-20002

CREDITS
Gentoo
Trust: 0.7
sources:
            
            
            PACKETSTORM: 153865 // 
            
            
            
            CNNVD: CNNVD-201812-370

SOURCES
db:VULHUBid:VHN-130765
db:VULMONid:CVE-2018-20002
db:BIDid:106142
db:JVNDBid:JVNDB-2018-012680
db:PACKETSTORMid:153865
db:CNNVDid:CNNVD-201812-370
db:NVDid:CVE-2018-20002

LAST UPDATE DATE
2024-11-23T20:05:13.162000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-130765date:2019-10-03T00:00:00
db:VULMONid:CVE-2018-20002date:2023-11-07T00:00:00
db:BIDid:106142date:2018-12-09T00:00:00
db:JVNDBid:JVNDB-2018-012680date:2019-02-06T00:00:00
db:CNNVDid:CNNVD-201812-370date:2021-07-26T00:00:00
db:NVDid:CVE-2018-20002date:2024-11-21T04:00:43.770

SOURCES RELEASE DATE
db:VULHUBid:VHN-130765date:2018-12-10T00:00:00
db:VULMONid:CVE-2018-20002date:2018-12-10T00:00:00
db:BIDid:106142date:2018-12-09T00:00:00
db:JVNDBid:JVNDB-2018-012680date:2019-02-06T00:00:00
db:PACKETSTORMid:153865date:2019-08-03T23:41:32
db:CNNVDid:CNNVD-201812-370date:2018-12-10T00:00:00
db:NVDid:CVE-2018-20002date:2018-12-10T02:29:00.390