CVE-2020-15158

Опубликовано: 26 авг. 2020

Источник: nvd

CVSS3: 7.7

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

In libIEC61850 before version 1.4.3, when a message with COTP message length field with value < 4 is received an integer underflow will happen leading to heap buffer overflow. This can cause an application crash or on some platforms even the execution of remote code. If your application is used in open networks or there are untrusted nodes in the network it is highly recommend to apply the patch. This was patched with commit 033ab5b. Users of version 1.4.x should upgrade to version 1.4.3 when available. As a workaround changes of commit 033ab5b can be applied to older versions.

Ссылки

https://github.com/mz-automation/libiec61850/commit/033ab5b6488250c8c3b838f25a7cbc3e099230bb
Patch
Third Party Advisory
https://github.com/mz-automation/libiec61850/issues/250
Third Party Advisory
https://github.com/mz-automation/libiec61850/security/advisories/GHSA-pq77-fmf7-hjw8
Third Party Advisory
https://github.com/mz-automation/libiec61850/commit/033ab5b6488250c8c3b838f25a7cbc3e099230bb
Patch
Third Party Advisory
https://github.com/mz-automation/libiec61850/issues/250
Third Party Advisory
https://github.com/mz-automation/libiec61850/security/advisories/GHSA-pq77-fmf7-hjw8
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mz-automation:libiec61850:*:*:*:*:*:*:*:*

Версия от 1.4.0 (включая) до 1.4.3 (исключая)

EPSS

Процентиль: 85%

0.0238

Низкий

7.7 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-119

CWE-191

EPSS

Процентиль: 85%

0.0238

Низкий

7.7 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-119

CWE-191