Vulnerability Name:

CVE-2017-5208 (CCN-125733)

Assigned:2017-01-08
Published:2017-01-08
Updated:2019-03-20
Summary:Integer overflow in the wrestool program in icoutils before 0.31.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted executable, which triggers a denial of service (application crash) or the possibility of execution of arbitrary code.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
8.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L)
7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
8.1 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L)
7.1 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.4 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Partial
Vulnerability Type:CWE-190
CWE-190
CWE-122
CWE-122
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2017-5208

Source: CCN
Type: icoutils GIT Repository
Fix check_offset overflow on 64-bit systems

Source: REDHAT
Type: Third Party Advisory
RHSA-2017:0837

Source: DEBIAN
Type: Third Party Advisory
DSA-3756

Source: CCN
Type: IBM Security Bulletin T1025264 (PowerKVM)
Vulnerabilities in icoutils affect PowerKVM

Source: MLIST
Type: Mailing List, VDB Entry
[oss-security] 20170108 Re: CVE Request: icoutils: exploitable crash in wrestool programm

Source: BID
Type: Third Party Advisory, VDB Entry
95315

Source: CCN
Type: BID-95315
icoutils CVE-2017-5208 Local Integer Overflow Vulnerability

Source: CCN
Type: Red Hat Bugzilla – Bug 1411251
(CVE-2017-5208) CVE-2017-5208 icoutils: Check_offset overflow on 64-bit systems

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory, VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1411251

Source: XF
Type: UNKNOWN
icoutils-cve20175208-overflow(125733)

Source: CCN
Type: icoutils Web site
icoutils

Source: GENTOO
Type: Third Party Advisory
GLSA-201801-12

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-5208

Vulnerable Configuration:Configuration 1:
  • cpe:/a:icoutils_project:icoutils:*:*:*:*:*:*:*:* (Version < 0.31.1)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:icoutils_project:icoutils:0.31.1:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:powerkvm:2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:powerkvm:3.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2017-5208 (CCN-125838)

    Assigned:2017-01-08
    Published:2017-01-08
    Updated:2017-03-22
    Summary:Integer overflow in the wrestool program in icoutils before 0.31.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted executable, which triggers a denial of service (application crash) or the possibility of execution of arbitrary code.
    CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
    7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): 
    Attack Complexity (AC): 
    Privileges Required (PR): 
    User Interaction (UI): 
    Scope:Scope (S): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    8.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L)
    7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): 
    Attack Complexity (AC): 
    Privileges Required (PR): 
    User Interaction (UI): 
    Scope:Scope (S): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    8.1 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L)
    7.1 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): 
    Attack Complexity (AC): 
    Privileges Required (PR): 
    User Interaction (UI): 
    Scope:Scope (S): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Medium
    Authentication (Au): None
    Impact Metrics:Confidentiality (C): Partial
    Integrity (I): Partial
    Availibility (A): Partial
    6.4 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:P)
    Exploitability Metrics:Access Vector (AV): Local
    Access Complexity (AC): Low
    Athentication (Au): Single_Instance
    Impact Metrics:Confidentiality (C): Complete
    Integrity (I): Complete
    Availibility (A): Partial
    Vulnerability Type:CWE-190
    CWE-190
    CWE-122
    CWE-122
    Vulnerability Consequences:Denial of Service
    References:Source: MITRE
    Type: CNA
    CVE-2017-5208

    Source: CCN
    Type: icoutils Web site
    icoutils - Introduction

    Source: CCN
    Type: BID-95315
    icoutils CVE-2017-5208 Local Integer Overflow Vulnerability

    Source: CCN
    Type: Red Hat Bugzilla
    Bug 1411251 - (CVE-2017-5208) CVE-2017-5208 icoutils: Check_offset overflow on 64-bit systems

    Source: XF
    Type: UNKNOWN
    icoutils-cve20175208-dos(125838)

    Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*
    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:icoutils_project:icoutils:0.31.1:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux_desktop:7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_hpc_node:7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_workstation:7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20175208
    V
    		CVE-2017-5208
    2022-06-30
    oval:org.opensuse.security:def:112429
    P
    		icoutils-0.32.3-1.7 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105935
    P
    		icoutils-0.32.3-1.7 on GA media (Moderate)
    2021-10-01
    oval:com.ubuntu.xenial:def:201752080000000
    V
    		CVE-2017-5208 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-08-22
    oval:com.ubuntu.artful:def:20175208000
    V
    		CVE-2017-5208 on Ubuntu 17.10 (artful) - medium.
    2017-08-22
    oval:com.ubuntu.disco:def:201752080000000
    V
    		CVE-2017-5208 on Ubuntu 19.04 (disco) - medium.
    2017-08-22
    oval:com.ubuntu.trusty:def:20175208000
    V
    		CVE-2017-5208 on Ubuntu 14.04 LTS (trusty) - medium.
    2017-08-22
    oval:com.ubuntu.cosmic:def:201752080000000
    V
    		CVE-2017-5208 on Ubuntu 18.10 (cosmic) - medium.
    2017-08-22
    oval:com.ubuntu.bionic:def:20175208000
    V
    		CVE-2017-5208 on Ubuntu 18.04 LTS (bionic) - medium.
    2017-08-22
    oval:com.ubuntu.xenial:def:20175208000
    V
    		CVE-2017-5208 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-08-22
    oval:com.ubuntu.bionic:def:201752080000000
    V
    		CVE-2017-5208 on Ubuntu 18.04 LTS (bionic) - medium.
    2017-08-22
    oval:com.ubuntu.cosmic:def:20175208000
    V
    		CVE-2017-5208 on Ubuntu 18.10 (cosmic) - medium.
    2017-08-22
    oval:com.redhat.rhsa:def:20170837
    P
    		RHSA-2017:0837: icoutils security update (Important)
    2017-03-23
    oval:org.cisecurity:def:1694
    P
    		DSA-3756-1 -- icoutils -- security update
    2017-02-10
    oval:com.ubuntu.precise:def:20175208000
    V
    		CVE-2017-5208 on Ubuntu 12.04 LTS (precise) - medium.
    2017-01-09
    BACK
    icoutils_project icoutils *
    debian debian linux 8.0
    redhat enterprise linux desktop 7.0
    redhat enterprise linux server 7.0
    redhat enterprise linux server aus 7.3
    redhat enterprise linux server aus 7.4
    redhat enterprise linux server aus 7.6
    redhat enterprise linux server eus 7.3
    redhat enterprise linux server eus 7.4
    redhat enterprise linux server eus 7.5
    redhat enterprise linux server eus 7.6
    redhat enterprise linux server tus 7.3
    redhat enterprise linux server tus 7.6
    redhat enterprise linux workstation 7.0
    icoutils_project icoutils 0.31.1
    ibm powerkvm 2.1
    ibm powerkvm 3.1
    icoutils_project icoutils 0.31.1
    redhat enterprise linux desktop 7
    redhat enterprise linux hpc node 7
    redhat enterprise linux server 7
    redhat enterprise linux workstation 7
    redhat enterprise linux server tus 7.3