#VU50842 Improper Neutralization of Argument Delimiters in a Command in Screen


Published: 2021-02-22

Vulnerability identifier: #VU50842

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-26937

CWE-ID: CWE-88

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Screen
Other software / Other software solutions

Vendor: GNU

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect processing of user-supplied data in the encoding.c file. A remote attacker can pass specially crafted UTF-8 character sequence to the GNU Screen application and perform a denial of service attack or execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Screen: 4.0.1 - 4.8.0

External links
http://www.openwall.com/lists/oss-security/2021/02/09/8
http://lists.debian.org/debian-lts-announce/2021/02/msg00031.html
http://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
http://www.openwall.com/lists/oss-security/2021/02/09/3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)
Red Hat Enterprise Linux 7.7 update for screen
Multiple vulnerabilities in Junos Space
Gentoo update for GNU Screen
Amazon Linux AMI update for screen
openEuler update for screen
Red Hat Enterprise Linux 7 update for screen
Ubuntu update for screen
Ubuntu update for screen
Debian update for screen