Multiple vulnerabilities in bzip2

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2019-010 CVE-2016-3189 , CVE-2019-12900 08/08/2019 medium v3

Vulnerability details

An attacker forcing the extraction of a crafted archive can lead to a denial-of-service or remote code execution.

For SVC: the vulnerable version of bzip2 is embedded in the delivered ova, but not directly used by any functionalities.

Impacted products

ProductsSeverityDetail
Stormshield Network Security medium An attacker that can force the extraction a crafted archive can lead to a denial-of-service or remote code execution.

Revisions

Version Date Description
v1  08/08/2019 Initial release
v2 10/07/2019 Add SNS 2.x fix versions
v3 10/08/2019 Fix SNS 3.x fix versions

 



Stormshield Network Security

CVSS v2 Overall Score: 5.8      

Analysis

Impacted version

SNS: An attacker that can force the extraction a crafted archive can lead to a denial-of-service or remote code execution.

SMC: bzip2 is installed on the operating system but the vulnerability is not triggerable with SMC

SVC: bzip2 is installed on the operating system but the vulnerability is not triggerable with SVC

  • SNS 2.X
  • SNS 3.X

Workaround solution

Solution

There is no workaround solution.

SNS: The 2.7.5, 2.15.0, 3.7.8 and 3.9.2 updates will fix this vulnerability.

SMC: The 2.6.0 update will upgrade his version of bzip2.

SVC: The 1.5 update will upgrade his version of bzip2.



Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Adjacent Network Medium Single Complete Complete Complete
CVSS Base score: 7.4 CVSS Vector: (AV:A/AC:M/Au:S/C:C/I:C/A:C)
Exploitability Remediation Level Report Confidence
Proof of concept code Official fix Confirmed
CVSS Temporal score: 5.8 CVSS Vector: (AV:A/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Collateral Damage Potential Target Distribution
None High [76-100%]
CVSS Environmental score: 5.8 CVSS Vector: (AV:A/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C/CDP:N/TD:H/CR:ND/IR:ND/AR:ND)