Multiple vulnerabilities in call-cc Chicken Scheme



Published: 2019-10-31 | Updated: 2020-08-08
Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2012-6123
CVE-2012-6124
CVE-2012-6125
CWE-ID CWE-20
CWE-338
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Chicken Scheme
Universal components / Libraries / Software for developers

Vendor call-cc.org

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU35125

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2012-6123

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Chicken before 4.8.0 does not properly handle NUL bytes in certain strings, which allows an attacker to conduct "poisoned NUL byte attack."

Mitigation

Install update from vendor's website.

Vulnerable software versions

Chicken Scheme: 4.0.0 - 4.7.0

External links

http://www.openwall.com/lists/oss-security/2013/02/08/2
http://access.redhat.com/security/cve/cve-2012-6123
http://security-tracker.debian.org/tracker/CVE-2012-6123


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

EUVDB-ID: #VU35126

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2012-6124

CWE-ID: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A casting error in Chicken before 4.8.0 on 64-bit platform caused the random number generator to return a constant value. NOTE: the vendor states "This function wasn't used for security purposes (and is advertised as being unsuitable)."

Mitigation

Install update from vendor's website.

Vulnerable software versions

Chicken Scheme: 4.0.0 - 4.7.0

External links

http://www.openwall.com/lists/oss-security/2013/02/08/2
http://access.redhat.com/security/cve/cve-2012-6124
http://lists.nongnu.org/archive/html/chicken-hackers/2012-02/msg00084.html
http://security-tracker.debian.org/tracker/CVE-2012-6124


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU35127

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2012-6125

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Chicken before 4.8.0 is susceptible to algorithmic complexity attacks related to hash table collisions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Chicken Scheme: 4.0.0 - 4.7.0

External links

http://www.openwall.com/lists/oss-security/2013/02/08/2
http://access.redhat.com/security/cve/cve-2012-6125
http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00002.html
http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00020.html
http://security-tracker.debian.org/tracker/CVE-2012-6125


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###