#VU63055 Unchecked Return Value in cron (Debian package)


Published: 2022-05-11

Vulnerability identifier: #VU63055

Vulnerability risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-9704

CWE-ID: CWE-252

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
cron (Debian package)
Operating systems & Components / Operating system package or component

Vendor: Debian

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to the calloc return value is not checked. A local user can create a large crontab file and crash the daemon.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

cron (Debian package): 3.0pl1-100 - 3.0pl1-132

External links
http://salsa.debian.org/debian/cron/commit/f2525567
http://www.securityfocus.com/bid/107373
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DU7HAUAQR4E4AEBPYLUV6FZ4PHKH6A2/
http://lists.debian.org/debian-lts-announce/2019/03/msg00025.html
http://lists.debian.org/debian-lts-announce/2021/10/msg00029.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


VMware Tanzu products update for Cron
VMware Tanzu products update for Cron
Multiple vulnerabilities in cflinuxfs3
Multiple vulnerabilities in cflinuxfs3
Ubuntu update for cron
Ubuntu update for cron