ID CVE-2014-1693
Summary Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF sequences in the (1) user, (2) account, (3) cd, (4) ls, (5) nlist, (6) rename, (7) delete, (8) mkdir, (9) rmdir, (10) recv, (11) recv_bin, (12) recv_chunk_start, (13) send, (14) send_bin, (15) send_chunk_start, (16) append_chunk_start, (17) append, or (18) append_bin command.
References
Vulnerable Configurations
  • cpe:2.3:a:erlang:erlang%2fotp:r15b03
    cpe:2.3:a:erlang:erlang%2fotp:r15b03
CVSS
Base: 7.5 (as of 02-11-2015 - 12:24)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-174.NASL
    description Updated erlang packages fixes security vulnerability : An FTP command injection flaw was found in Erlang's FTP module. Several functions in the FTP module do not properly sanitize the input before passing it into a control socket. A local attacker can use this flaw to execute arbitrary FTP commands on a system that uses this module (CVE-2014-1693). This update also disables SSLv3 by default to mitigate the POODLE issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 82484
    published 2015-04-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82484
    title Mandriva Linux Security Advisory : erlang (MDVSA-2015:174)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-17009.NASL
    description - Ver. 17.4 - Disable SSLv3 - Backport useful os:getenv/2 from master. See this GitHub pull request for further details - https://github.com/erlang/otp/pull/535 - Fixed CVE-2014-1693 (backported fix from ver. 17.x.x, see patch no. 17) - Trimmed dependency chain Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 80235
    published 2014-12-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80235
    title Fedora 21 : erlang-17.4-1.fc21 (2014-17009)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-15394.NASL
    description - Fixed CVE-2014-1693 (backported fix from ver. 17.x.x, see patch no. 17) - Trimmed dependency chain Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 79647
    published 2014-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79647
    title Fedora 20 : erlang-R16B-03.9.fc20 (2014-15394)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16214.NASL
    description - Disable SSLv3 - Backport useful os:getenv/2 from master. See this GitHub pull request for further details - https://github.com/erlang/otp/pull/535 - Fixed CVE-2014-1693 (backported fix from ver. 17.x.x, see patch no. 17) - Trimmed dependency chain Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 79921
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79921
    title Fedora 20 : erlang-R16B-03.10.fc20 (2014-16214)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3571-1.NASL
    description It was discovered that the Erlang FTP module incorrectly handled certain CRLF sequences. A remote attacker could possibly use this issue to inject arbitrary FTP commands. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-1693) It was discovered that Erlang incorrectly checked CBC padding bytes. A remote attacker could possibly use this issue to perform a padding oracle attack and decrypt traffic. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-2774) It was discovered that Erlang incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Erlang to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-10253) Hanno Bock, Juraj Somorovsky and Craig Young discovered that the Erlang otp TLS server incorrectly handled error reporting. A remote attacker could possibly use this issue to perform a variation of the Bleichenbacher attack and decrypt traffic or sign messages. (CVE-2017-1000385). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 106838
    published 2018-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106838
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : erlang vulnerabilities (USN-3571-1) (ROBOT)
refmap via4
confirm
fedora FEDORA-2014-15394
mandriva MDVSA-2015:174
mlist [oss-security] 20140128 CVE Request: Erlang OTP - ftp module - FTP Command Injection
ubuntu USN-3571-1
Last major update 22-04-2015 - 21:59
Published 08-12-2014 - 06:59
Last modified 15-03-2018 - 21:29
Back to Top