Vulnerability Name:

CVE-2013-7424 (CCN-101073)

Assigned:2015-01-27
Published:2015-01-27
Updated:2016-11-28
Summary:The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to ping6.
CVSS v3 Severity:5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:5.1 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
3.8 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
3.8 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.1 Medium (REDHAT CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
3.8 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-17
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2013-7424

Source: REDHAT
Type: Vendor Advisory
RHSA-2015:1627

Source: CCN
Type: GNU Web site
The GNU C Library

Source: CCN
Type: IBM Security Bulletin T1022813
GNU C library (glibc) vulnerabilities affect IBM SmartCloud Entry (CVE-2013-7424)

Source: CCN
Type: IBM Security Bulletin N1020944
Vulnerabilities in glibc affect Power Hardware Management Console (CVE-2013-7424)

Source: CCN
Type: IBM Security Bulletin 1883368
Open Source GNU Glibc vulnerability

Source: CCN
Type: IBM Security Bulletin 1960485
Open Source GNU Glibc vulnerability affects IBM Security Guardium

Source: CCN
Type: IBM Security Bulletin 1963297
A vulnerability in GNU glibc affects IBM Security Network Protection (CVE-2013-7424)

Source: CCN
Type: IBM Security Bulletin 1966274
Multiple vulnerabilities in NTP, Hivex, glibc, libuser, BIND affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance

Source: CCN
Type: IBM Security Bulletin 1969017
GNU C library (glibc) vulnerability affects IBM Security Access Manager for Web (CVE-2013-7424 )

Source: CCN
Type: IBM Security Bulletin 1973022
GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2013-7424 )

Source: CCN
Type: IBM Security Bulletin 1974624
Netezza Host Management is vulnerable to a GNU C Library (glibc) attack (CVE-2013-7424)

Source: MLIST
Type: UNKNOWN
[oss-security] 20150129 Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

Source: BID
Type: UNKNOWN
72710

Source: CCN
Type: BID-72710
GNU glibc 'getaddrinfo.c' Remote Code Execution Vulnerability

Source: CCN
Type: Red Hat Bugzilla – Bug 1186614
(CVE-2013-7424) CVE-2013-7424 glibc: Invalid-free when using getaddrinfo()

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=1186614

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=981942

Source: XF
Type: UNKNOWN
glibc-cve20137424-code-exec(101073)

Source: CONFIRM
Type: UNKNOWN
https://sourceware.org/bugzilla/show_bug.cgi?id=18011

Source: CONFIRM
Type: UNKNOWN
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7

Source: CCN
Type: IBM Security Bulletin 5098567
Vulnerability in glibc affects IBM System Networking RackSwitches (CVE-2013-7424)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-7424

Vulnerable Configuration:Configuration 1:
  • cpe:/a:gnu:glibc:*:*:*:*:*:*:*:* (Version <= 2.14.1)

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

    • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:gnu:glibc:2.11.3:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:lotus_protector:2.8:*:*:*:mail_security:*:*:*
  • OR cpe:/a:ibm:smartcloud_provisioning:2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:smartcloud_provisioning:2.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:7.0:*:web:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_protector:2.8.1:*:*:*:mail_security:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0:*:web:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0:*:mobile:*:*:*:*:*
  • OR cpe:/o:ibm:security_network_protection_firmware:5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:smartcloud_entry:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:smartcloud_entry:3.2:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.0.1:*:mobile:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.0.2:*:mobile:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.0.3:*:mobile:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.0.4:*:mobile:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.0.2:*:web:*:*:*:*:*
  • OR cpe:/a:ibm:smartcloud_entry:2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:smartcloud_entry:2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:puredata_system:1.0.0:*:*:*:analytics:*:*:*
  • OR cpe:/o:ibm:security_network_protection_firmware:5.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:smartcloud_provisioning:2.1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:smartcloud_provisioning:2.1.0.3:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.0.5:*:mobile:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.0.4:*:web:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.0.5:*:web:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.1:*:mobile:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.1:*:web:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.1.2:*:mobile:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.1.2:*:web:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.1.3:*:web:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:8.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:8.0.1.3:*:mobile:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:9.0:*:mobile:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager:9.0:*:web:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.cisecurity:def:37
    P
    		DSA-3169-1 -- eglibc -- security update
    2016-02-08
    oval:com.ubuntu.precise:def:20137424000
    V
    		CVE-2013-7424 on Ubuntu 12.04 LTS (precise) - medium.
    2015-08-26
    oval:com.ubuntu.trusty:def:20137424000
    V
    		CVE-2013-7424 on Ubuntu 14.04 LTS (trusty) - medium.
    2015-08-26
    oval:com.redhat.rhsa:def:20151627
    P
    		RHSA-2015:1627: glibc security update (Moderate)
    2015-08-17
    oval:com.redhat.rhsa:def:20141391
    P
    		RHSA-2014:1391: glibc security, bug fix, and enhancement update (Moderate)
    2014-10-14
    BACK
    gnu glibc *
    gnu glibc 2.11.3
    ibm lotus protector 2.8
    ibm smartcloud provisioning 2.1
    ibm smartcloud provisioning 2.1.0.1
    ibm security access manager 7.0
    ibm lotus protector 2.8.1
    ibm security access manager 8.0
    ibm security access manager 8.0
    ibm security network protection firmware 5.3
    ibm smartcloud entry 3.1
    ibm smartcloud entry 3.2
    ibm security access manager 8.0.0.1
    ibm security access manager 8.0.0.2
    ibm security access manager 8.0.0.3
    ibm security access manager 8.0.0.4
    ibm security access manager 8.0.0.2
    ibm smartcloud entry 2.3
    ibm smartcloud entry 2.4
    ibm puredata system 1.0.0
    ibm security network protection firmware 5.2.0
    ibm smartcloud provisioning 2.1.0.2
    ibm smartcloud provisioning 2.1.0.3
    ibm security access manager 8.0.0.5
    ibm security access manager 8.0.0.4
    ibm security access manager 8.0.0.5
    ibm security access manager 8.0.1
    ibm security access manager 8.0.1
    ibm security access manager 8.0.1.2
    ibm security access manager 8.0.1.2
    ibm security access manager 8.0.1.3
    ibm security guardium 8.2
    ibm security guardium 9.0
    ibm security guardium 9.1
    ibm security guardium 10.0
    ibm security access manager 8.0.1.3
    ibm security access manager 9.0
    ibm security access manager 9.0