DoS via use-after-free in TLS (CVE-2020-8265)

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2020-060 CVE-2020-8265 11/18/2020 low v1

Vulnerability details

On the impacted NodeJS version, there is a memory allocation issue that could allow a TLS connection to lead to a DoS attack.

Impacted products

ProductsSeverityDetail
Stormshield Management Center low Patched in the 2.8.1

Revisions

Version Date Description
v1   20/01/2021 Initial release
v2 21/01/2021 Correction of the excerpt section and CVE number

 



Stormshield Management Center

CVSS v2 Overall Score: 2.1      

Analysis

Impacted version

SMC GUI and appliance server are vulnerable

  • SMC bellow 2.8.1

Workaround solution

Solution

Do not use the FQDN object on unknown domain

The 2.8.1 update will fix this vulnerability.



Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Local High Single None None Complete
CVSS Base score: 3.8 CVSS Vector: (AV:L/AC:H/Au:S/C:N/I:N/A:C)
Exploitability Remediation Level Report Confidence
Unproven that exploit exists Workaround Unconfirmed
CVSS Temporal score: 2.8 CVSS Vector: (AV:L/AC:H/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:UC)
Collateral Damage Potential Target Distribution
None Medium [26-75%]
CVSS Environmental score: 2.1 CVSS Vector: (AV:L/AC:H/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:UC/CDP:N/TD:M/CR:ND/IR:ND/AR:ND)