Vulnerability CVE-2014-9984

Vulnerability Name:

CVE-2014-9984 (CCN-131449)

Assigned:

2014-03-12

Published:

2014-03-12

Updated:

2019-06-13

Summary:

nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon crash or code execution as the user running nscd.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-119

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2014-9984

Source: MISC
Type: UNKNOWN
http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html

Source: MISC
Type: UNKNOWN
http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html

Source: FULLDISC
Type: UNKNOWN
20190612 SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series

Source: FULLDISC
Type: UNKNOWN
20190904 SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X

Source: BID
Type: UNKNOWN
99071

Source: CCN
Type: BID-99071
GNU glibc CVE-2014-9984 Remote Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
glibc-cve20149984-dos(131449)

Source: BUGTRAQ
Type: UNKNOWN
20190613 SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series

Source: BUGTRAQ
Type: UNKNOWN
20190904 SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X

Source: CCN
Type: Sourceware Bugzilla Bug 16695
(CVE-2014-9984) - nscd aborts with glibc detected usr/sbin/nscd: realloc(): invalid next size" (CVE-2014-9984)

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://sourceware.org/bugzilla/show_bug.cgi?id=16695

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=c44496df2f090a56d3bf75df930592dac6bba46f

Source: CCN
Type: GNU Web site
glibc

Vulnerable Configuration:

Configuration 1:

cpe:/a:gnu:glibc:*:*:*:*:*:*:*:* (Version <= 2.19)

Configuration CCN 1:

cpe:/a:gnu:glibc:2.19:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:42295	P	Security update for pcre2 (Important)	2022-05-30
oval:org.opensuse.security:def:20149984	V	CVE-2014-9984	2022-05-20
oval:org.opensuse.security:def:42250	P	Security update for openssh (Important)	2021-12-22
oval:org.opensuse.security:def:41093	P	Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:19008	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:41561	P	Security update for dovecot22 (Important)	2020-12-01
oval:org.opensuse.security:def:41371	P	Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)	2020-12-01
oval:org.opensuse.security:def:19152	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:40660	P	Security update for gpg2 (Important)	2020-12-01
oval:org.opensuse.security:def:19427	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:19224	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:40763	P	Security update for the Linux Kernel (Live Patch 18 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:19463	P	Security update for tcpdump (Moderate)	2020-12-01
oval:org.opensuse.security:def:19369	P	Security update for aspell (Moderate)	2020-12-01
oval:org.opensuse.security:def:41024	P	Security update for sqlite3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:18973	P	Security update for podofo (Moderate)	2020-12-01
oval:org.opensuse.security:def:20127	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:41532	P	Security update for git (Important)	2020-12-01
oval:org.opensuse.security:def:41195	P	Security update for log4j (Important)	2020-12-01
oval:org.opensuse.security:def:19094	P	Security update for openwsman (Important)	2020-12-01
oval:org.opensuse.security:def:18965	P	Security update for elfutils (Low)	2020-12-01
oval:org.opensuse.security:def:41612	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:41435	P	Security update for tomcat (Moderate)	2020-12-01
oval:org.opensuse.security:def:19186	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:40671	P	Security update for the Linux Kernel (Live Patch 19 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:19439	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:19336	P	Security update for freerdp (Important)	2020-12-01
oval:org.opensuse.security:def:40915	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:40659	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:20101	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:41487	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:com.ubuntu.bionic:def:201499840000000	V	CVE-2014-9984 on Ubuntu 18.04 LTS (bionic) - medium.	2017-06-12
oval:com.ubuntu.artful:def:20149984000	V	CVE-2014-9984 on Ubuntu 17.10 (artful) - medium.	2017-06-12
oval:com.ubuntu.xenial:def:20149984000	V	CVE-2014-9984 on Ubuntu 16.04 LTS (xenial) - medium.	2017-06-12
oval:com.ubuntu.xenial:def:201499840000000	V	CVE-2014-9984 on Ubuntu 16.04 LTS (xenial) - medium.	2017-06-12
oval:com.ubuntu.bionic:def:20149984000	V	CVE-2014-9984 on Ubuntu 18.04 LTS (bionic) - medium.	2017-06-12
oval:com.ubuntu.cosmic:def:20149984000	V	CVE-2014-9984 on Ubuntu 18.10 (cosmic) - medium.	2017-06-12
oval:com.ubuntu.cosmic:def:201499840000000	V	CVE-2014-9984 on Ubuntu 18.10 (cosmic) - medium.	2017-06-12
oval:com.ubuntu.trusty:def:20149984000	V	CVE-2014-9984 on Ubuntu 14.04 LTS (trusty) - medium.	2017-06-12

BACK