Multiple vulnerabilities in Oniguruma

Published: 2019-11-18 | Updated: 2019-11-29
Severity High
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2019-19012
CVE-2019-19204
CVE-2019-19203
CVE-2019-19246
CWE ID CWE-190
CWE-126
CWE-125
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #3 is available.
Vulnerable software Oniguruma Subscribe
Vendor K.Kosako

Security Advisory

Updated 22.11.2019
Added vulnerabilities #2,3
Updated 29.11.2019
Added vulnerability #4, updated list of fixed software versions.

1) Integer overflow

Severity: High

CVSSv3: 7.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-19012

CWE-ID: CWE-190 - Integer Overflow or Wraparound

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to integer overflow in the "search_in_range" function in "regexec.c". A remote attacker can use a specially crafted regular expression, trigger out-of-bounds read and cause a denial-of-service or information disclosure on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oniguruma: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.6.1, 6.7.0, 6.7.1, 6.8.0, 6.8.1, 6.8.2, 6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4_rc1

CPE External links

https://github.com/kkos/oniguruma/issues/164
https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Buffer Over-read

Severity: Medium

CVSSv3: 6.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-19204

CWE-ID: CWE-126 - Buffer Over-read

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the "fetch_interval_quantifier" function (formerly known as fetch_range_quantifier) in "regparse.c" file due to the PFETCH is called without checking PEND. A remote attacker can cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oniguruma: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.6.1, 6.7.0, 6.7.1, 6.8.0, 6.8.1, 6.8.2, 6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4_rc1

CPE External links

https://github.com/kkos/oniguruma/issues/162
https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Buffer Over-read

Severity: Medium

CVSSv3: 6.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-19203

CWE-ID: CWE-126 - Buffer Over-read

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the "gb18030_mbc_enc_len" function in "gb18030.c" file due to the UChar pointer is dereferenced without checking if it passed the end of the matched string. A remote attacker can cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oniguruma: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.6.1, 6.7.0, 6.7.1, 6.8.0, 6.8.1, 6.8.2, 6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4_rc1

CPE External links

https://github.com/kkos/oniguruma/issues/163
https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Out-of-bounds read

Severity: Low

CVSSv3: 4.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-19246

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read in str_lower_case_match in regexec.c, if used with PPH 7.3. A remote attacker can perform a denial of service attack or gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oniguruma: 6.9.0, 6.9.1, 6.9.2, 6.9.3

CPE External links

https://bugs.php.net/bug.php?id=78559
https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.