Deserialization of Untrusted Data in monero - CVE-2018-3972
Published: September 26, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU36616
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-3972
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: getmonero.org
Affected software:
monero
monero
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic flaw, resulting in code execution. An attacker can send a packet to trigger this vulnerability.
How to mitigate CVE-2018-3972
Install update from vendor's website.