Input validation error in perl-net-ssleay (Alpine package)

1) Input validation error

EUVDB-ID: #VU32660

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2002-2443

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103.

Mitigation

Install update from vendor's website.

Vulnerable software versions

perl-net-ssleay (Alpine package): 1.54-r0

CPE2.3

• cpe:2.3:a:alpine:perl-net-ssleay_alpine_package:1.54-r0:*:*:*:*:alpine_linux:*:2.6

External links

https://git.alpinelinux.org/aports/commit/?id=61b6c314dce6d6a6b5e2ce3e2bdd57d9d8824636
https://git.alpinelinux.org/aports/commit/?id=f4815a09b6eee77917fc4aeb5a684f88e051022c
https://git.alpinelinux.org/aports/commit/?id=a074fa6d38db3108ce263b63cdf22a8c88fe919a
https://git.alpinelinux.org/aports/commit/?id=635b532cd2987f13c5a08db090d8a1c44650b1f3
https://git.alpinelinux.org/aports/commit/?id=b318a59981c3e291a439fc9085f959761f77342d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.