#VU33521 Input validation error in Debian Linux - CVE-2017-12187

Cybersecurity Help s.r.o.

Published: 2018-01-24 | Updated: 2020-08-04

Vulnerability identifier: #VU33521

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-12187

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Debian Linux
Operating systems & Components / Operating system

Vendor: Debian

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

xorg-x11-server before 1.19.5 was missing length validation in RENDER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Debian Linux: 8.0 - 9.0

External links
https://bugzilla.redhat.com/show_bug.cgi?id=1509217
https://cgit.freedesktop.org/xorg/xserver/commit/?id=cad5a1050b7184d828aef9c1dd151c3ab649d37e
https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html
https://www.debian.org/security/2017/dsa-4000

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in Debian Linux

Input validation error in xorg-server (Alpine package)

Slackware Linux update for xorg-server