Multiple vulnerabilities in call-cc Chicken Scheme



Published: 2019-10-31 | Updated: 2020-08-08
Risk High
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2012-6123
CVE-2012-6124
CVE-2012-6125
CWE ID CWE-20
CWE-338
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Chicken Scheme
Universal components / Libraries / Software for developers

Vendor call-cc.org

Security Advisory

1) Input validation error

Risk: Medium

CVSSv3: 5.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2012-6123

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Chicken before 4.8.0 does not properly handle NUL bytes in certain strings, which allows an attacker to conduct "poisoned NUL byte attack."

Mitigation

Install update from vendor's website.

Vulnerable software versions

Chicken Scheme: 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0

CPE External links

http://www.openwall.com/lists/oss-security/2013/02/08/2
https://access.redhat.com/security/cve/cve-2012-6123
https://security-tracker.debian.org/tracker/CVE-2012-6123

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Risk: Medium

CVSSv3: 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2012-6124

CWE-ID: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A casting error in Chicken before 4.8.0 on 64-bit platform caused the random number generator to return a constant value. NOTE: the vendor states "This function wasn't used for security purposes (and is advertised as being unsuitable)."

Mitigation

Install update from vendor's website.

Vulnerable software versions

Chicken Scheme: 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0

CPE External links

http://www.openwall.com/lists/oss-security/2013/02/08/2
https://access.redhat.com/security/cve/cve-2012-6124
https://lists.nongnu.org/archive/html/chicken-hackers/2012-02/msg00084.html
https://security-tracker.debian.org/tracker/CVE-2012-6124

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

Risk: High

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2012-6125

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Chicken before 4.8.0 is susceptible to algorithmic complexity attacks related to hash table collisions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Chicken Scheme: 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0

CPE External links

http://www.openwall.com/lists/oss-security/2013/02/08/2
https://access.redhat.com/security/cve/cve-2012-6125
https://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00002.html
https://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00020.html
https://security-tracker.debian.org/tracker/CVE-2012-6125

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###