Risk | High |
Patch available | YES |
Number of vulnerabilities | 3 |
CVE-ID | CVE-2012-6123 CVE-2012-6124 CVE-2012-6125 |
CWE-ID | CWE-20 CWE-338 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Chicken Scheme Universal components / Libraries / Software for developers |
Vendor | call-cc.org |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU35125
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-6123
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
Chicken before 4.8.0 does not properly handle NUL bytes in certain strings, which allows an attacker to conduct "poisoned NUL byte attack."
MitigationInstall update from vendor's website.
Vulnerable software versionsChicken Scheme: 4.0.0 - 4.7.0
External linkshttp://www.openwall.com/lists/oss-security/2013/02/08/2
http://access.redhat.com/security/cve/cve-2012-6123
http://security-tracker.debian.org/tracker/CVE-2012-6123
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU35126
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-6124
CWE-ID:
CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
A casting error in Chicken before 4.8.0 on 64-bit platform caused the random number generator to return a constant value. NOTE: the vendor states "This function wasn't used for security purposes (and is advertised as being unsuitable)."
MitigationInstall update from vendor's website.
Vulnerable software versionsChicken Scheme: 4.0.0 - 4.7.0
External linkshttp://www.openwall.com/lists/oss-security/2013/02/08/2
http://access.redhat.com/security/cve/cve-2012-6124
http://lists.nongnu.org/archive/html/chicken-hackers/2012-02/msg00084.html
http://security-tracker.debian.org/tracker/CVE-2012-6124
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU35127
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-6125
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Chicken before 4.8.0 is susceptible to algorithmic complexity attacks related to hash table collisions.
MitigationInstall update from vendor's website.
Vulnerable software versionsChicken Scheme: 4.0.0 - 4.7.0
External linkshttp://www.openwall.com/lists/oss-security/2013/02/08/2
http://access.redhat.com/security/cve/cve-2012-6125
http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00002.html
http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00020.html
http://security-tracker.debian.org/tracker/CVE-2012-6125
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.