Multiple vulnerabilities in call-cc Chicken Scheme

Published: 2014-05-20 | Updated: 2020-08-10

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2013-1874 CVE-2014-3776
CWE-ID	CWE-20 CWE-119
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Chicken Scheme Universal components / Libraries / Software for developers
Vendor	call-cc.org

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU41275

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-1874

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory. <a href = http://cwe.mitre.org/data/definitions/426.html> CWE-426: Untrusted Search Path </a>

Mitigation

Install update from vendor's website.

Vulnerable software versions

Chicken Scheme: 4.8.0 - 4.8.0.7

External links

http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=c21c7cf9d1faf4f78736890ac7ca1d4b82d72ddd;hb=c6750af99ada7fa4815ee834e4e705bcfac9c137
http://seclists.org/oss-sec/2013/q1/692
http://www.osvdb.org/91520
http://www.securityfocus.com/bid/58583
http://exchange.xforce.ibmcloud.com/vulnerabilities/85065

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU41652

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-3776

CWE-ID: CWE-119 - Memory corruption