Use-after-free in lighttpd

#VU14320 Use-after-free in lighttpd

Published: 2018-08-13

Vulnerability identifier: #VU14320

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-416

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
lighttpd
Server applications / Web servers

Vendor: lighttpd

Description

The vulnerability allows a remote attacker to gain cause denial of service conditions.

The vulnerability exists due to use-after-free error when processing data passed via Range HTTP header. A remote unauthenticated attacker can send a specially crafted HTTP request to the affected server, trigger use-after-free error and crash the affected web server.

Mitigation
Update to version 1.4.50.

Vulnerable software versions

lighttpd: 1.4.1 - 1.4.49

External links
http://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8
http://www.lighttpd.net/2018/8/13/1.4.50/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in lighttpd