Vulnerability identifier: #VU20541
Vulnerability risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-400
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
libarchive
Client/Desktop applications /
Software for archiving
Vendor: libarchive
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper parsing of ISO9660 files. A remote attacker can persuade a user to access an ISO9660, trigger an infinite loop condition and perform a denial of service (DoS) attack.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
libarchive: 2.8.0 - 3.2.0
External links
http://github.com/libarchive/libarchive/pull/1120
http://github.com/libarchive/libarchive/pull/1120/commits/8312eaa576014cd9b965012af51bc1f967b12423
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.