Vulnerability CVE-2014-9323

Vulnerability Name:

CVE-2014-9323 (CCN-99700)

Assigned:

2014-12-16

Published:

2014-12-16

Updated:

2021-03-05

Summary:

The xdr_status_vector function in Firebird before 2.1.7 and 2.5.x before 2.5.3 SU1 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and crash) via an op_response action with a non-empty status.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.9 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-476

Vulnerability Consequences:

Denial of Service

References:

Source: CONFIRM
Type: Third Party Advisory
http://advisories.mageia.org/MGASA-2014-0523.html

Source: MITRE
Type: CNA
CVE-2014-9323

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2014:1621

Source: CCN
Type: oss-security Mailing List, Sat, 3 Jan 2015 18:59:18 -0500 (EST)
Re: CVE request: denial of service flaw in firebird

Source: CCN
Type: oss-security Mailing List, Mon, 5 Jan 2015 10:54:11 -0500 (EST)
Re: CVE request: denial of service flaw in firebird

Source: CCN
Type: FirebirdSQL Web site
Segfault in server caused by malformed network packet CVE-2014-9323

Source: CONFIRM
Type: Exploit, Vendor Advisory
http://tracker.firebirdsql.org/browse/CORE-4630

Source: DEBIAN
Type: Third Party Advisory
DSA-3109

Source: CONFIRM
Type: Vendor Advisory
http://www.firebirdsql.org/en/news/security-updates-for-v2-1-and-v2-5-series-66011/

Source: MANDRIVA
Type: Broken Link
MDVSA-2015:172

Source: CCN
Type: BID-71622
Firebird 'protocol.cpp' NULL Pointer Dereference Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
firebird-cve20149323-dos(99700)

Source: UBUNTU
Type: Third Party Advisory
USN-3929-1

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-9323

Vulnerable Configuration:

Configuration 1:

cpe:/a:firebirdsql:firebird:*:*:*:*:*:*:*:* (Version < 2.1.7)

OR cpe:/a:firebirdsql:firebird:*:*:*:*:*:*:*:* (Version >= 2.5 and <= 2.5.3)

Configuration 2:

cpe:/o:opensuse:evergreen:11.4:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 4:

cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

Configuration CCN 1:

cpe:/a:firebirdsql:firebird:2.1.5:*:*:*:*:*:*:*

OR cpe:/a:firebirdsql:firebird:2.5.2:*:*:*:*:*:*:*

OR cpe:/a:firebirdsql:firebird:2.5.3:*:*:*:*:*:*:*

OR cpe:/a:firebirdsql:firebird:2.1.6:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:28480	P	DSA-3109-1 -- firebird2.5 security update	2015-02-23
oval:com.ubuntu.precise:def:20149323000	V	CVE-2014-9323 on Ubuntu 12.04 LTS (precise) - medium.	2014-12-16
oval:com.ubuntu.xenial:def:201493230000000	V	CVE-2014-9323 on Ubuntu 16.04 LTS (xenial) - medium.	2014-12-16
oval:com.ubuntu.trusty:def:20149323000	V	CVE-2014-9323 on Ubuntu 14.04 LTS (trusty) - medium.	2014-12-16
oval:com.ubuntu.xenial:def:20149323000	V	CVE-2014-9323 on Ubuntu 16.04 LTS (xenial) - medium.	2014-12-16

BACK