CVE-2018-5262
published 2018-01-12CVE-2018-5262: A stack-based buffer overflow in Flexense DiskBoss 8.8.16 and earlier allows unauthenticated remote attackers to execute arbitrary code in the context of a…
PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
39.12%
98.4th percentile
A stack-based buffer overflow in Flexense DiskBoss 8.8.16 and earlier allows unauthenticated remote attackers to execute arbitrary code in the context of a highly privileged account.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flexense | diskboss | <= 8.8.16 | — |
| jenkins | azure_slave_plugin | — | — |
| jenkins | azure_vm_agents_plugin | — | — |
| jenkins | coverity_plugin | — | — |
| jenkins | cppncss_plugin | — | — |
| jenkins | credentials_plugin | — | — |
| jenkins | envinject_plugin | — | — |
| jenkins | environment_injector_plugin | — | — |
| jenkins | gerrit_trigger_plugin | — | — |
| jenkins | git_plugin | — | — |
| jenkins | google_play_android_publisher_plugin | — | — |
| jenkins | ids_in_google_play_android_publisher_plugin | — | — |
| jenkins | improper_access_control_in_gerrit_trigger_plugin | — | — |
| jenkins | job_and_node_ownership_plugin | — | — |
| jenkins | mercurial_plugin | — | — |
| jenkins | testlink_plugin | — | — |
| jenkins | url_in_git_plugin | — | — |
| jenkins | url_in_mercurial_plugin | — | — |
| jenkins | url_in_subversion_plugin | — | — |
| jenkins | you_have_ever_used_environment_injector_plugin | — | — |
| pykmip_project | pykmip | >= 0 < 0.8.0 | 0.8.0 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x75\x19\xba\xab\x03\x00\x00\x00\x00\x40\x00\x00
bytes↗
\xEB\x06\x90\x90
bytes↗
\xe9\x3f\xfb\xff\xff
- →Monitor for unauthenticated TCP connections to DiskBoss listener ports 8094, 8096, 8097, 8098 containing the 4-byte magic header \x75\x19\xba\xab followed by \x03\x00\x00\x00\x00\x40\x00\x00 — this is the exploit message framing. ↗
- →Detect the JMP short + NOP sled preret sequence (\xEB\x06\x90\x90) within the payload body on DiskBoss ports as an indicator of ROP/stack-pivot exploitation. ↗
- →Detect the backward JMP pivot stub (\xe9\x3f\xfb\xff\xff) within network payloads targeting DiskBoss ports; this is used to redirect execution into the shellcode NOP sled. ↗
- →The exploit sends a payload of ~1000 bytes with a fixed offset of 128 bytes before the return address overwrite; anomalously large single-packet messages to DiskBoss ports (~1000+ bytes) from unauthenticated sources should be flagged. ↗
- →The embedded shellcode is a Shikata Ga Nai encoded windows/shell_reverse_tcp payload; scan network traffic on DiskBoss ports for the Shikata Ga Nai decoder stub pattern. ↗
- ·The exploit was tested on Windows 7 SP1 x64 and Windows XP SP3 x86; ASLR/DEP status of the target affects reliability and gadget addresses. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w59g-gcwr-m2xr: A stack-based buffer overflow in Flexense DiskBoss 8
ghsa_unreviewed·2022-05-13
CVE-2018-5262 [CRITICAL] CWE-787 GHSA-w59g-gcwr-m2xr: A stack-based buffer overflow in Flexense DiskBoss 8
A stack-based buffer overflow in Flexense DiskBoss 8.8.16 and earlier allows unauthenticated remote attackers to execute arbitrary code in the context of a highly privileged account.
GHSA
PyKMIP Denial of service vulnerability
ghsa·2018-12-21·CVSS 4.3
CVE-2018-1000872 [MEDIUM] CWE-400 PyKMIP Denial of service vulnerability
PyKMIP Denial of service vulnerability
OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399: Resource Management Errors (similar issue to CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the server can be made unavailable by one or more clients opening all of the available sockets. This attack appear to be exploitable via A client or clients open sockets with the server and then never close them. This vulnerability appears to have been fixed in 0.8.0.
Red Hat
python-pykmip: DoS due to undefined default timeout for all server sockets
vendor_redhat·2018-04-24·CVSS 4.3
CVE-2018-1000872 [MEDIUM] CWE-400 python-pykmip: DoS due to undefined default timeout for all server sockets
python-pykmip: DoS due to undefined default timeout for all server sockets
OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399: Resource Management Errors (similar issue to CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the server can be made unavailable by one or more clients opening all of the available sockets. This attack appear to be exploitable via A client or clients open sockets with the server and then never close them. This vulnerability appears to have been fixed in 0.8.0.
Package: python-pykmip (Red Hat OpenStack Platform 13 (Queens)) - Fix deferred
Package: python-pykmip (Red Hat OpenStack Platform 14 (Rocky)) - Affected
No detection rules found.
2018-01-12
Published