cbcvebase.
CVE-2019-12518
published 2019-12-02

CVE-2019-12518: Anviz CrossChex access control management software 4.3.8.0 and 4.3.12 is vulnerable to a buffer overflow vulnerability.

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
50.74%
98.8th percentile
Anviz CrossChex access control management software 4.3.8.0 and 4.3.12 is vulnerable to a buffer overflow vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
anvizcrosschex
anvizcrosschex

Detection & IOCsextracted from sources · hover to see the quote

port5050/UDP
bytes
\x07\x18\x42\x00
  • Listen for anomalous UDP broadcast responses on port 5050 — the exploit waits for a CrossChex device-discovery broadcast and replies with a malicious oversized UDP packet to trigger the stack buffer overflow.
  • Detect oversized UDP responses to CrossChex device-discovery broadcasts; the exploit payload space is up to 8947 bytes, far exceeding a legitimate discovery reply.
  • Flag UDP packets destined to a CrossChex client that contain the JMP ESP gadget address bytes 0x07 0x18 0x42 0x00 at offset 261 from the start of the payload.
  • The attacker host binds to 0.0.0.0:5050/UDP to intercept CrossChex broadcast traffic; monitor for unexpected processes binding to UDP port 5050 on non-CrossChex hosts.
  • ·The exploit targets only the x86 (32-bit) build of CrossChex Standard; the JMP ESP gadget address (0x00421807) is specific to that binary and will not apply to other versions or architectures.
  • ·Affected versions are 4.3.8.0 and 4.3.12 only; detections keyed on the gadget address or payload offset should be validated against the specific installed version.
  • ·The module uses raw (unencode) x86 shellcode with NOP generation disabled; signature-based detection must account for the absence of a standard NOP sled.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.