Vulnerability CVE-2018-10184

Vulnerability Name:

CVE-2018-10184 (CCN-143082)

Assigned:

2018-04-19

Published:

2018-04-19

Updated:

2018-06-18

Summary:

An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the max_frame_size setting instead of being checked against the bufsize. The max_frame_size only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the SETTINGS frame, a wrapped frame will be defragmented into a temporary allocated buffer where the second fragment may overflow the heap by up to 16 kB. It is very unlikely that this can be exploited for code execution given that buffers are very short lived and their addresses not realistically predictable in production, but the likelihood of an immediate crash is absolutely certain.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-119

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2018-10184

Source: CCN
Type: HAProxy GIT Repository
Released version 1.8.8

Source: CONFIRM
Type: Patch, Vendor Advisory
http://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=cd117685f0cff4f2f5577ef6a21eaae96ebd9f28

Source: CONFIRM
Type: Patch, Vendor Advisory
http://git.haproxy.org/?p=haproxy.git;a=commit;h=3f0e1ec70173593f4c2b3681b26c04a4ed5fc588

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:1372

Source: XF
Type: UNKNOWN
haproxy-cve201810184-dos(143082)

Vulnerable Configuration:

Configuration 1:

cpe:/a:haproxy:haproxy:*:*:*:*:*:*:*:* (Version < 1.8.8)

Configuration 2:

cpe:/o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:haproxy:haproxy:1.8.7:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.artful:def:201810184000	V	CVE-2018-10184 on Ubuntu 17.10 (artful) - medium.	2018-05-09
oval:com.ubuntu.bionic:def:2018101840000000	V	CVE-2018-10184 on Ubuntu 18.04 LTS (bionic) - medium.	2018-05-09
oval:com.ubuntu.bionic:def:201810184000	V	CVE-2018-10184 on Ubuntu 18.04 LTS (bionic) - medium.	2018-05-09
oval:com.ubuntu.xenial:def:2018101840000000	V	CVE-2018-10184 on Ubuntu 16.04 LTS (xenial) - medium.	2018-05-09
oval:com.ubuntu.trusty:def:201810184000	V	CVE-2018-10184 on Ubuntu 14.04 LTS (trusty) - medium.	2018-05-09
oval:com.ubuntu.xenial:def:201810184000	V	CVE-2018-10184 on Ubuntu 16.04 LTS (xenial) - medium.	2018-05-09

BACK