Vulnerability CVE-2006-6235 - CERT Civis.Net

Vulnerability Name:

CVE-2006-6235 (CCN-30711)

Assigned:

2006-12-06

Published:

2006-12-06

Updated:

2018-10-17

Summary:

A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.

CVSS v3 Severity:

10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: SGI
Type: UNKNOWN
20061201-01-P

Source: MITRE
Type: CNA
CVE-2006-6235

Source: CCN
Type: GnuPG-Announce Mailing List, Wed Dec 6 16:55:52 CET 2006
GnuPG: remotely controllable function pointer [CVE-2006-6235]

Source: MLIST
Type: UNKNOWN
[gnupg-announce] GnuPG: remotely controllable function pointer [CVE-2006-6235]

Source: SUSE
Type: UNKNOWN
SUSE-SA:2006:075

Source: CCN
Type: RHSA-2006-0754
Important: gnupg security update

Source: CCN
Type: SA23245
GnuPG OpenPGP Message Decryption Vulnerability

Source: SECUNIA
Type: Patch, Vendor Advisory
23245

Source: SECUNIA
Type: Patch, Vendor Advisory
23250

Source: SECUNIA
Type: Patch, Vendor Advisory
23255

Source: SECUNIA
Type: UNKNOWN
23259

Source: SECUNIA
Type: Patch, Vendor Advisory
23269

Source: SECUNIA
Type: UNKNOWN
23284

Source: SECUNIA
Type: UNKNOWN
23290

Source: SECUNIA
Type: UNKNOWN
23299

Source: SECUNIA
Type: UNKNOWN
23303

Source: SECUNIA
Type: UNKNOWN
23329

Source: SECUNIA
Type: UNKNOWN
23335

Source: SECUNIA
Type: UNKNOWN
23513

Source: CCN
Type: SA24047
Avaya Products GnuPG Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
24047

Source: GENTOO
Type: UNKNOWN
GLSA-200612-03

Source: CCN
Type: SECTRACK ID: 1017349
GnuPG OpenPGP Packet Stack Overflow Lets Remote Users Execute Arbitrary Code

Source: SECTRACK
Type: UNKNOWN
1017349

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2007-047.htm

Source: CCN
Type: ASA-2007-047
gnupg security update (RHSA-2006-0754)

Source: DEBIAN
Type: UNKNOWN
DSA-1231

Source: DEBIAN
Type: DSA-1231
gnupg -- several vulnerabilities

Source: CCN
Type: GLSA-200612-03
GnuPG: Multiple vulnerabilities

Source: CCN
Type: GnuPG Web site
Download

Source: CCN
Type: US-CERT VU#427009
GnuPG vulnerable to remote data control

Source: CERT-VN
Type: US Government Resource
VU#427009

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2006:228

Source: SUSE
Type: UNKNOWN
SUSE-SR:2006:028

Source: CCN
Type: OpenPKG-SA-2006.037
GnuPG

Source: OPENPKG
Type: UNKNOWN
OpenPKG-SA-2006.037

Source: REDHAT
Type: Vendor Advisory
RHSA-2006:0754

Source: BUGTRAQ
Type: UNKNOWN
20061206 GnuPG: remotely controllable function pointer [CVE-2006-6235]

Source: BUGTRAQ
Type: UNKNOWN
20061206 rPSA-2006-0227-1 gnupg

Source: BID
Type: Vendor Advisory
21462

Source: CCN
Type: BID-21462
GnuPG OpenPGP Packet Processing Function Pointer Overwrite Vulnerability

Source: TRUSTIX
Type: UNKNOWN
2006-0070

Source: CCN
Type: USN-393-1
GnuPG vulnerability

Source: UBUNTU
Type: Patch
USN-393-1

Source: CCN
Type: USN-393-2
GnuPG2 vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-393-2

Source: VUPEN
Type: UNKNOWN
ADV-2006-4881

Source: XF
Type: UNKNOWN
gnupg-openpgp-code-execution(30711)

Source: XF
Type: UNKNOWN
gnupg-openpgp-code-execution(30711)

Source: CONFIRM
Type: UNKNOWN
https://issues.rpath.com/browse/RPL-835

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:11245

Source: SUSE
Type: SUSE-SR:2006:028
SUSE Security Summary Report

Vulnerable Configuration:

Configuration 1:

cpe:/a:gnu:privacy_guard:1.2.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.2.5:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.2.6:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.2.7:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.3.3:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.3.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.2:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.2.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.2.2:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.3:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.5:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.9.10:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.9.15:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.9.20:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:2.0:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:gpg4win:gpg4win:1.0.7:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:redhat:enterprise_linux:4.0:*:advanced_server:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4.0:*:enterprise_server:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4.0:*:workstation:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:3.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:4.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:fedora_core:core6:*:*:*:*:*:*:*

OR cpe:/o:redhat:fedora_core:core_5.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux_advanced_workstation:2.1:*:itanium_processor:*:*:*:*:*

OR cpe:/o:rpath:linux:1:*:*:*:*:*:*:*

OR cpe:/o:slackware:slackware_linux:11.0:*:*:*:*:*:*:*

OR cpe:/o:ubuntu:ubuntu_linux:5.10:*:*:*:*:*:*:*

OR cpe:/o:ubuntu:ubuntu_linux:6.06:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

Configuration CCN 1:

cpe:/a:gnu:privacy_guard:1.3.3:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.5:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.2.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.2.5:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.2.6:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.2.7:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.3.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.2:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.2.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.2.2:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.3:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.4.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.9.10:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.9.15:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:1.9.20:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:2.0:*:*:*:*:*:*:*

OR cpe:/a:gnu:privacy_guard:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:gpg4win:gpg4win:1.0.7:*:*:*:*:*:*:*

AND

cpe:/a:openpkg:openpkg:current:*:*:*:*:*:*:*

OR cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1::as:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*

OR cpe:/a:mandrakesoft:mandrake_multi_network_firewall:2.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1::ws:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2006::x86-64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20066235	V	CVE-2006-6235	2015-11-16
oval:org.mitre.oval:def:11245	V	A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.	2013-04-29
oval:com.redhat.rhsa:def:20060754	P	RHSA-2006:0754: gnupg security update (Important)	2006-12-12
oval:org.debian:def:1231	V	several vulnerabilities	2006-12-09