Main Vulnerability Database Vulnerabilities #VU36780

Input validation error in Mingw-w64 - CVE-2018-5392

Published: August 14, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36780

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-5392

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SourceForge

Affected software:
Mingw-w64

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

mingw-w64 version 5.0.4 by default produces executables that opt in to ASLR, but are not compatible with ASLR. ASLR is an exploit mitigation technique used by modern Windows platforms. For ASLR to function, Windows executables must contain a relocations table. Despite containing the "Dynamic base" PE header, which indicates ASLR compatibility, Windows executables produced by mingw-w64 have the relocations table stripped from them by default. This means that executables produced by mingw-w64 are vulnerable to return-oriented programming (ROP) attacks. Windows executables generated by mingw-w64 claim to be ASLR compatible, but are not. Vulnerabilities in such executables are more easily exploitable as a result.

How to mitigate CVE-2018-5392

Install update from vendor's website.

Sources

https://www.kb.cert.org/vuls/id/307144

Input validation error in Mingw-w64 - CVE-2018-5392

Detailed vulnerability description

How to mitigate CVE-2018-5392

Sources

Please verify you're human