#VU19575 Buffer overflow in libzmq - CVE-2019-13132

Cybersecurity Help s.r.o.

Published: 2019-07-31

Vulnerability identifier: #VU19575

Vulnerability risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2019-13132

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libzmq
Universal components / Libraries / Libraries used by multiple products

Vendor: ZeroMQ Project

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a stack buffer overflow condition when running a socket with CURVE "encryption/authentication" enabled. A remote attacker can send a malicious request and execute arbitrary code on the targeted system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

libzmq: 4.2.0 - 4.3.2

External links
https://github.com/zeromq/libzmq/issues/3558
https://github.com/zeromq/libzmq/releases

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Fedora 29 update for zeromq

Fedora 30 update for zeromq

Fedora 31 update for zeromq

Gentoo update for ZeroMQ

Buffer overflow in ZeroMQ libzmq

OpenSUSE Linux update for zeromq

Buffer overflow in zeromq (Alpine package)

Debian update for zeromq3