#VU79018 Out-of-bounds read in libesmtp (Debian package) - CVE-2019-19977
Vulnerability identifier: #VU79018
Vulnerability risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID:
CWE-ID:
CWE-125
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
libesmtp (Debian package)
Operating systems & Components /
Operating system package or component
Vendor: Debian
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
libesmtp (Debian package): 1.0.4 - 1.0.6
External links
https://github.com/jbouse-debian/libesmtp/blob/ca5bd0800ef1da234315da4c59716568eb5e6402/ntlm/ntlmstruct.c#L228-L242
https://github.com/Kirin-say/Vulnerabilities/blob/master/Stack_Overflow_in_libesmtp.md
https://web.archive.org/web/20190528215510/
https://brianstafford.info/libesmtp/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
