NULL pointer dereference in binutils (Alpine package)

1) NULL pointer dereference

EUVDB-ID: #VU32127

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-7614

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a "member access within null pointer" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an "int main() {return 0;}" program.

Mitigation

Install update from vendor's website.

Vulnerable software versions

binutils (Alpine package): 2.26-r0

CPE2.3

• cpe:2.3:a:alpine:binutils_alpine_package:2.26-r0:*:*:*:*:alpine_linux:*:3.3

External links

https://git.alpinelinux.org/aports/commit/?id=0ac897cc91d6e616423895be89c09150f908c874
https://git.alpinelinux.org/aports/commit/?id=1699ed48b80a1f0550e3af4983727d83f9594e26
https://git.alpinelinux.org/aports/commit/?id=30e67c63dba1de11cfe9a7af61304af3e00a3eff
https://git.alpinelinux.org/aports/commit/?id=3c0b2ef21e436d6895ad412d2d1aeb568b95db50
https://git.alpinelinux.org/aports/commit/?id=55858ef24e4e1f0e4aef26149bc6f73d72a4e536
https://git.alpinelinux.org/aports/commit/?id=a64b11f0247784a8e364cd711948b487b5887832

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.