CVE-2019-10050 - OpenCVE

A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination address plus the correct type field and the right number for shim, an attacker can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop, the network packet has a length of 2 bytes. There is no validation of this length. Later on, the code tries to read at an empty position, leading to a crash.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oisf	Suricata

Configuration 1 [-]

cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://lists.openinfosecfoundation.org/pipermail/oisf-announce/
https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-05-13T16:18:52

Updated: 2024-08-04T22:10:09.210Z

Reserved: 2019-03-25T00:00:00

Link: CVE-2019-10050

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-05-13T17:29:02.097

Modified: 2019-10-24T16:19:30.683

Link: CVE-2019-10050

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-04-30T00:00:00", "descriptions": [{"lang": "en", "value": "A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination address plus the correct type field and the right number for shim, an attacker can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop, the network packet has a length of 2 bytes. There is no validation of this length. Later on, the code tries to read at an empty position, leading to a crash."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-13T16:18:52", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.openinfosecfoundation.org/pipermail/oisf-announce/"}, {"tags": ["x_refsource_MISC"], "url": "https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-10050", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination address plus the correct type field and the right number for shim, an attacker can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop, the network packet has a length of 2 bytes. There is no validation of this length. Later on, the code tries to read at an empty position, leading to a crash."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://lists.openinfosecfoundation.org/pipermail/oisf-announce/", "refsource": "MISC", "url": "https://lists.openinfosecfoundation.org/pipermail/oisf-announce/"}, {"name": "https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/", "refsource": "MISC", "url": "https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:10:09.210Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.openinfosecfoundation.org/pipermail/oisf-announce/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-10050", "datePublished": "2019-05-13T16:18:52", "dateReserved": "2019-03-25T00:00:00", "dateUpdated": "2024-08-04T22:10:09.210Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "F301FC21-7AD7-46B5-B85C-FCB0C5B3DBF5", "versionEndExcluding": "4.1.4", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination address plus the correct type field and the right number for shim, an attacker can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop, the network packet has a length of 2 bytes. There is no validation of this length. Later on, the code tries to read at an empty position, leading to a crash."}, {"lang": "es", "value": "Se descubri\u00f3 un problema de sobrelectura de b\u00fafer en Suricata, versiones 4.1.x anteriores a 4.1.4. Si la entrada de la funci\u00f3n decode-mpls.c DecodeMPLS est\u00e1 compuesta s\u00f3lo por un paquete de direcci\u00f3n de origen y direcci\u00f3n de destino m\u00e1s el campo de tipo correcto y el n\u00famero correcto de shim, un atacante puede manipular el flujo de control, de tal forma que la condici\u00f3n para abandonar el bucle sea verdadera. Despu\u00e9s de salir del bucle, el paquete de red tiene una longitud de 2 bytes. No hay validaci\u00f3n de esta longitud. M\u00e1s tarde, el c\u00f3digo intenta leer en una posici\u00f3n vac\u00eda, provocando un fallo."}], "id": "CVE-2019-10050", "lastModified": "2019-10-24T16:19:30.683", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-13T17:29:02.097", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.openinfosecfoundation.org/pipermail/oisf-announce/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}