CVE-2008-1552

Published Mar 31, 2008

Last updated 6 years ago

CVSS info 6.8

Overview

Description: The silc_pkcs1_decode function in the silccrypt library (silcpkcs1.c) in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.7, SILC Client before 1.1.4, and SILC Server before 1.1.2 allows remote attackers to execute arbitrary code via a crafted PKCS#1 message, which triggers an integer underflow, signedness error, and a buffer overflow. NOTE: the researcher describes this as an integer overflow, but CVE uses the "underflow" term in cases of wraparound from unsigned subtraction.
Source: cve@mitre.org
NVD status: Modified

Risk scores

CVSS 2.0

Type: Primary
Base score: 6.8
Impact score: 6.4
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-189

Hype score: Not currently trending

Vendor comments

Red HatRed Hat does not consider this issue to be a security flaw as SILC is not used in a vulnerable manner in Red Hat Enterprise Linux 4 and 5. More information can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=440049

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:silc:silc_client:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "17399447-A537-43ED-8F3B-34A6B3775F91",
            "versionEndIncluding": "1.1.3"
          },
          {
            "criteria": "cpe:2.3:a:silc:silc_server:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C79529C3-3305-4C9F-81B9-6A230CEC864B",
            "versionEndIncluding": "1.1.2"
          },
          {
            "criteria": "cpe:2.3:a:silc:silc_toolkit:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "29C8F2A5-C309-4BAB-B292-B95BE9BD335B",
            "versionEndIncluding": "1.1.6"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:redhat:fedora:7:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "EE2027FA-357A-4BE3-9043-6DE8307C040A"
          },
          {
            "criteria": "cpe:2.3:o:redhat:fedora:8:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "C8E8256F-3FB6-45B2-8F03-02A61C10FAF0"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:silc:silc:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A363089A-8328-48B1-9609-36A635EC4A46"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

Overview

Risk scores

CVSS 2.0

Weaknesses

Social media

Vendor comments

Configurations

References