Details of VAR-201901-1587

ID

VAR-201901-1587

CVE

CVE-2018-4281

TITLE

SwiftNIO Vulnerable to buffer overflow

Trust: 0.8

sources: JVNDB: JVNDB-2018-013789

DESCRIPTION

In SwiftNIO before 1.8.0, a buffer overflow was addressed with improved size validation. SwiftNIO Contains a buffer overflow vulnerability due to a lack of size verification.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apple SwiftNIO is prone to a buffer-overflow vulnerability because they fail to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. Versions prior to SwiftNIO 1.8.0 are vulnerable. Apple SwiftNIO is a set of cross-platform asynchronous event-driven open source network application framework written by Apple (Apple). A remote attacker could exploit this vulnerability to overwrite arbitrary memory. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-06-27-1 SwiftNIO 1.8.0 SwiftNIO 1.8.0 is now available and addresses the following: SwiftNIO Available for: macOS Sierra 10.12 and later, Ubuntu 14.04 and later Impact: A remote attacker may be able to overwrite arbitrary memory Description: A buffer overflow was addressed with improved size validation. CVE-2018-4281: Apple The following versions also contain the security content of SwiftNIO 1.8.0: 1.0.1, 1.1.1, 1.2.2, 1.3.2, 1.4.3, 1.5.2, 1.6.2, 1.7.3. Installation note: SwiftNIO 1.8.0 may be obtained via Swift Package Manager. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 and https://github.com/apple/swift-nio/releases/tag/1.8.0. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEfcwwPWJ3e0Ig26mf8ecVjteJiCYFAlszzrspHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQ8ecVjteJiCYczQ// bAlQPEBKRG482pKuKfKRXXjBDazu8zTiqsz1sHibYrtGCvNsApIhYOcDuUDKm8ey vk9DDmrcpI9gfxM975077qpnLjSAkpnPB60MRwxceWsNVnXhiLyU0+Fx5yQ2X6ey BhkY5Et+FhgLmrgr/nHb9IFkGGuUnDtNjN7N/GU7hyaGyxeYdfNFHMIUF/BGKroC 3VpD30hxZKFQjLUUXPKSy5oa6jD6FiXEDQmKdBbCpTvIj/f2GUgDkk+ErzzOBCjh Et6BC9QM4qleOzzJu9+8YlCyj2XOuGkWsVs6SMPmpP+mz+1/bDgzmy8hcWSb6cmo rEnE40t3jNHbw23jX9Xu7Fm2OdXw327kERbiwFSOSxzQJh4UwIdz4y5phz29ify3 bXEoInDORhomZuMCiK7ZhjNHFTLNxI1XFbHjbpEEZUgVYRUkHO9kKP9hOzLV8Gu/ nw0MAI5n/8lzxyRdpcBcFPWuWkyOFlIve/1vTQgTOMwOXeUudE1Ps2EWPFZO/Hlh 9nEy+Cd7zngO2YCDFsAePJXJCeg5b4n2FBrd4B3/xDWpeyk8guewwV0uosdqJ6Ht YQMYXUDeT7OHu+31Wt/JNUORIRuaVVStkl3jyrZufS2cyqhkTFX3f/ng8/A1C708 FMLHzFNworXo006KAKYlEOuVIMqz0lM9l5TEwq9E3Qo= =iH/I -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2018-4281 // JVNDB: JVNDB-2018-013789 // BID: 104574 // VULHUB: VHN-134312 // PACKETSTORM: 148352

AFFECTED PRODUCTS

vendor:	apple	model:	swiftnio	scope:	lt	version:	1.8.0	Trust: 1.0
vendor:	ubuntu	model:	linux lts	scope:	eq	version:	18.04	Trust: 0.3
vendor:	ubuntu	model:	linux	scope:	eq	version:	17.10	Trust: 0.3
vendor:	ubuntu	model:	linux	scope:	eq	version:	17.04	Trust: 0.3
vendor:	ubuntu	model:	linux	scope:	eq	version:	16.10	Trust: 0.3
vendor:	ubuntu	model:	linux lts	scope:	eq	version:	16.04	Trust: 0.3
vendor:	ubuntu	model:	linux	scope:	eq	version:	15.10	Trust: 0.3
vendor:	ubuntu	model:	linux	scope:	eq	version:	15.04	Trust: 0.3
vendor:	ubuntu	model:	linux	scope:	eq	version:	15.0	Trust: 0.3
vendor:	ubuntu	model:	linux	scope:	eq	version:	14.10	Trust: 0.3
vendor:	ubuntu	model:	linux lts	scope:	eq	version:	14.04	Trust: 0.3
vendor:	ubuntu	model:	linux	scope:	eq	version:	14.04	Trust: 0.3
vendor:	apple	model:	swiftnio	scope:	eq	version:	1.7.3	Trust: 0.3
vendor:	apple	model:	swiftnio	scope:	eq	version:	1.6.2	Trust: 0.3
vendor:	apple	model:	swiftnio	scope:	eq	version:	1.5.2	Trust: 0.3
vendor:	apple	model:	swiftnio	scope:	eq	version:	1.4.3	Trust: 0.3
vendor:	apple	model:	swiftnio	scope:	eq	version:	1.3.2	Trust: 0.3
vendor:	apple	model:	swiftnio	scope:	eq	version:	1.2.2	Trust: 0.3
vendor:	apple	model:	swiftnio	scope:	eq	version:	1.1.1	Trust: 0.3
vendor:	apple	model:	swiftnio	scope:	eq	version:	1.0.1	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.13.1	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.13.5	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.13.4	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.13.3	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.13.2	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.13	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.12.6	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.12.5	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.12.4	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.12.3	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.12.2	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.12.1	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.12	Trust: 0.3
vendor:	apple	model:	swiftnio	scope:	ne	version:	1.8	Trust: 0.3

sources: BID: 104574 // NVD: CVE-2018-4281

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-4281
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-4281
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201807-1072
value:	HIGH
Trust: 0.6
VULHUB:	VHN-134312
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-4281
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-134312
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-4281
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-134312 // JVNDB: JVNDB-2018-013789 // CNNVD: CNNVD-201807-1072 // NVD: CVE-2018-4281

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-134312 // JVNDB: JVNDB-2018-013789 // NVD: CVE-2018-4281

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-1072

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201807-1072

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-013789

PATCH

title:	HT208921	url:	https://support.apple.com/en-us/HT208921	Trust: 0.8
title:	HT208921	url:	https://support.apple.com/ja-jp/HT208921	Trust: 0.8
title:	Apple SwiftNIO Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82089	Trust: 0.6

sources: JVNDB: JVNDB-2018-013789 // CNNVD: CNNVD-201807-1072

EXTERNAL IDS

db:	NVD	id:	CVE-2018-4281	Trust: 2.9
db:	JVN	id:	JVNVU98864649	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-013789	Trust: 0.8
db:	CNNVD	id:	CNNVD-201807-1072	Trust: 0.7
db:	BID	id:	104574	Trust: 0.4
db:	PACKETSTORM	id:	148352	Trust: 0.2
db:	VULHUB	id:	VHN-134312	Trust: 0.1

sources: VULHUB: VHN-134312 // BID: 104574 // JVNDB: JVNDB-2018-013789 // PACKETSTORM: 148352 // CNNVD: CNNVD-201807-1072 // NVD: CVE-2018-4281

REFERENCES

url:	https://support.apple.com/ht208921	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4281	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4281	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu98864649/index.html	Trust: 0.8
url:	https://www.apple.com/	Trust: 0.3
url:	https://github.com/apple/swift-nio	Trust: 0.3
url:	https://support.apple.com/en-ie/ht208921	Trust: 0.3
url:	http://seclists.org/bugtraq/2018/jun/64	Trust: 0.3
url:	https://support.apple.com/kb/ht201222	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://github.com/apple/swift-nio/releases/tag/1.8.0.	Trust: 0.1

sources: VULHUB: VHN-134312 // BID: 104574 // JVNDB: JVNDB-2018-013789 // PACKETSTORM: 148352 // CNNVD: CNNVD-201807-1072 // NVD: CVE-2018-4281

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 104574

SOURCES

db:	VULHUB	id:	VHN-134312
db:	BID	id:	104574
db:	JVNDB	id:	JVNDB-2018-013789
db:	PACKETSTORM	id:	148352
db:	CNNVD	id:	CNNVD-201807-1072
db:	NVD	id:	CVE-2018-4281

LAST UPDATE DATE

2024-11-23T20:30:29.894000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-134312	date:	2019-01-24T00:00:00
db:	BID	id:	104574	date:	2018-06-27T00:00:00
db:	JVNDB	id:	JVNDB-2018-013789	date:	2019-03-01T00:00:00
db:	CNNVD	id:	CNNVD-201807-1072	date:	2019-04-01T00:00:00
db:	NVD	id:	CVE-2018-4281	date:	2024-11-21T04:07:07.093

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-134312	date:	2019-01-11T00:00:00
db:	BID	id:	104574	date:	2018-06-27T00:00:00
db:	JVNDB	id:	JVNDB-2018-013789	date:	2019-03-01T00:00:00
db:	PACKETSTORM	id:	148352	date:	2018-06-29T00:00:46
db:	CNNVD	id:	CNNVD-201807-1072	date:	2018-07-13T00:00:00
db:	NVD	id:	CVE-2018-4281	date:	2019-01-11T18:29:03.030