SB2019072222 - Multiple vulnerabilities in Cherokee-project Cherokee webserver
Published: July 22, 2019 Updated: December 28, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2019-1010218)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the main cherokee command. A remote attacker can overwrite argv[0] to an insane length with execl, trigger buffer overflow and crash the application.
2) NULL pointer dereference (CVE-ID: CVE-2020-12845)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in cherokee_validator_parse_basic or cherokee_validator_parse_digest. A remote attacker can send a specially crafted HTTP request and perform a denial of service (DoS) attack.
3) Out-of-bounds write (CVE-ID: CVE-2019-20800)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within the cherokee_handler_cgi_add_env_pair() function in handler_cgi.c. A remote attacker can send a specially crafted HTTP GET request with multiple headers to the server, trigger out-of-bounds write and execute arbitrary code on the target system.
4) Buffer overflow (CVE-ID: CVE-2019-20799)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing HTTP requests. A remote attacker can create a specially crafted HTTP request to the server and perform a denial of service (DoS) attack.
5) Cross-site scripting (CVE-ID: CVE-2019-20798)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in handler_server_info.c due to insufficient sanitization of user-supplied data passed to the About page in the default configuration of the web server and its administrator panel. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Example:
http://[host]/about/"><script>alert(1)</script>
http://[host]:9090/about/"><script>alert(1)</script>Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://i.imgur.com/PWCCyir.png
- http://cherokee-project.com/downloads.html
- https://github.com/cherokee/webserver/issues/1242
- https://github.com/cherokee/webserver/releases
- https://security.gentoo.org/glsa/202012-09
- https://github.com/cherokee/webserver/issues/1224
- https://logicaltrust.net/blog/2019/11/cherokee.html
- https://github.com/cherokee/webserver/issues/1221
- https://github.com/cherokee/webserver/issues/1222
- https://github.com/cherokee/webserver/issues/1225
- https://github.com/cherokee/webserver/issues/1226
- https://github.com/cherokee/webserver/issues/1227