Vulnerability CVE-2009-4652

Vulnerability Name:

CVE-2009-4652 (CCN-54272)

Assigned:

2009-05-04

Published:

2009-05-04

Updated:

2017-08-17

Summary:

The (1) Conn_GetCipherInfo and (2) Conn_UsesSSL functions in src/ngircd/conn.c in ngIRCd 13 and 14, when SSL/TLS support is present and standalone mode is disabled, allow remote attackers to cause a denial of service (application crash) by sending the MOTD command from another server in the same IRC network, possibly related to an array index error.

CVSS v3 Severity:

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P)
1.9 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:C)
4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Denial of Service

References:

Source: MISC
Type: UNKNOWN
http://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git;a=blobdiff;f=src/ngircd/conn.c;h=c6095a31c613bc5ca127d55b8723e15b836f1cca;hp=9752a6191c7e2da5b0df64779e9cc28ad1e6241c;hb=627b0b713c52406e50c84bb9459e7794262920a2;hpb=95428a72ffb5214826b61d5e77f860e7ef6a6c9e

Source: CCN
Type: ngIRCd Web site
security: fix remotely triggerable crash in SSL/TLS code

Source: CONFIRM
Type: UNKNOWN
http://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git;a=commit;h=627b0b713c52406e50c84bb9459e7794262920a2

Source: MITRE
Type: CNA
CVE-2009-4652

Source: CONFIRM
Type: UNKNOWN
http://ngircd.barton.de/doc/ChangeLog

Source: CONFIRM
Type: Vendor Advisory
http://ngircd.barton.de/doc/NEWS

Source: CCN
Type: SA37343
ngIRCd SSL/TLS Denial of Service Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
37343

Source: CCN
Type: OSVDB ID: 59975
ngIRCd src/ngircd/conn.c Multiple Function SSL / TLS Remote DoS

Source: BID
Type: Exploit
37021

Source: CCN
Type: BID-37021
ngIRCd SSL/TLS Support MOTD Request Multiple Denial Of Service Vulnerabilities

Source: VUPEN
Type: Vendor Advisory
ADV-2009-3240

Source: XF
Type: UNKNOWN
ngircd-ssltls-dos(54272)

Source: XF
Type: UNKNOWN
ngircd-ssltls-dos(54272)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ngircd:ngircd:13:*:*:*:*:*:*:*

OR cpe:/a:ngircd:ngircd:14:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:200946520000000	V	CVE-2009-4652 on Ubuntu 18.04 LTS (bionic) - medium.	2010-02-26
oval:com.ubuntu.artful:def:20094652000	V	CVE-2009-4652 on Ubuntu 17.10 (artful) - medium.	2010-02-26
oval:com.ubuntu.trusty:def:20094652000	V	CVE-2009-4652 on Ubuntu 14.04 LTS (trusty) - medium.	2010-02-26
oval:com.ubuntu.xenial:def:200946520000000	V	CVE-2009-4652 on Ubuntu 16.04 LTS (xenial) - medium.	2010-02-26
oval:com.ubuntu.bionic:def:20094652000	V	CVE-2009-4652 on Ubuntu 18.04 LTS (bionic) - medium.	2010-02-26
oval:com.ubuntu.xenial:def:20094652000	V	CVE-2009-4652 on Ubuntu 16.04 LTS (xenial) - medium.	2010-02-26
oval:com.ubuntu.cosmic:def:20094652000	V	CVE-2009-4652 on Ubuntu 18.10 (cosmic) - medium.	2010-02-26
oval:com.ubuntu.cosmic:def:200946520000000	V	CVE-2009-4652 on Ubuntu 18.10 (cosmic) - medium.	2010-02-26
oval:com.ubuntu.precise:def:20094652000	V	CVE-2009-4652 on Ubuntu 12.04 LTS (precise) - medium.	2010-02-26

BACK