ID CVE-2019-6250
Summary A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).
References
Vulnerable Configurations
  • ZeroMQ Libzmq 4.2.0
    cpe:2.3:a:zeromq:libzmq:4.2.0
  • ZeroMQ Libzmq 4.2.1
    cpe:2.3:a:zeromq:libzmq:4.2.1
  • ZeroMQ Libzmq 4.2.2
    cpe:2.3:a:zeromq:libzmq:4.2.2
  • ZeroMQ Libzmq 4.2.3
    cpe:2.3:a:zeromq:libzmq:4.2.3
  • ZeroMQ Libzmq 4.2.4
    cpe:2.3:a:zeromq:libzmq:4.2.4
  • ZeroMQ Libzmq 4.2.5
    cpe:2.3:a:zeromq:libzmq:4.2.5
  • ZeroMQ Libzmq 4.3.0
    cpe:2.3:a:zeromq:libzmq:4.3.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
CVSS
Base: 9.0
Impact:
Exploitability:
CWE CWE-190
CAPEC
  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_8E48365A214D11E99F8A0050562A4D7B.NASL
    description A vulnerability has been found that would allow attackers to direct a peer to jump to and execute from an address indicated by the attacker. This issue has been present since v4.2.0. Older releases are not affected. NOTE: The attacker needs to know in advance valid addresses in the peer's memory to jump to, so measures like ASLR are effective mitigations. NOTE: this attack can only take place after authentication, so peers behind CURVE/GSSAPI are not vulnerable to unauthenticated attackers.
    last seen 2019-02-21
    modified 2019-01-28
    plugin id 121405
    published 2019-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121405
    title FreeBSD : libzmq4 -- Remote Code Execution Vulnerability (8e48365a-214d-11e9-9f8a-0050562a4d7b)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2019-0110-1.NASL
    description This update for zeromq fixes the following issues : Security issue fixed : CVE-2019-6250: fix a remote execution vulnerability due to pointer arithmetic overflow (bsc#1121717) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-25
    plugin id 121240
    published 2019-01-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121240
    title SUSE SLED15 / SLES15 Security Update : zeromq (SUSE-SU-2019:0110-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4368.NASL
    description Guido Vranken discovered that an incorrect bounds check in ZeroMQ, a lightweight messaging kernel, could result in the execution of arbitrary code.
    last seen 2019-02-21
    modified 2019-01-25
    plugin id 121167
    published 2019-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121167
    title Debian DSA-4368-1 : zeromq3 - security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2019-87.NASL
    description This update for zeromq fixes the following issues : Security issue fixed : - CVE-2019-6250: fix a remote execution vulnerability due to pointer arithmetic overflow (bsc#1121717) The following tracked packaging change is included : - boo1082318: correctly mark license files as licence instead of documentation. This update was imported from the SUSE:SLE-15:Update update project.
    last seen 2019-02-21
    modified 2019-01-28
    plugin id 121414
    published 2019-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121414
    title openSUSE Security Update : zeromq (openSUSE-2019-87)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2019-64.NASL
    description This update for zeromq fixes the following issues : Security issue fixed : - CVE-2019-6250: fix a remote execution vulnerability due to pointer arithmetic overflow (bsc#1121717)
    last seen 2019-02-21
    modified 2019-01-25
    plugin id 121288
    published 2019-01-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121288
    title openSUSE Security Update : zeromq (openSUSE-2019-64)
refmap via4
confirm
debian DSA-4368
gentoo GLSA-201903-22
Last major update 13-01-2019 - 10:29
Published 13-01-2019 - 10:29
Last modified 03-04-2019 - 09:38
Back to Top