CVE-2019-6250
published 2019-01-13CVE-2019-6250: A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready…
PriorityP357high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
9.44%
94.8th percentile
A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | zeromq3 | < zeromq3 4.3.1-1 (bookworm) | zeromq3 4.3.1-1 (bookworm) |
| zeromq | libzmq | 4.2.0 – 4.2.5 | — |
| zeromq | libzmq | >= 4.3.0 < 4.3.1 | 4.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability resides specifically in the v2_decoder.cpp file, in the zmq::v2_decoder_t::size_ready function — target detection efforts at integer overflow conditions in this code path within libzmq 4.2.x and 4.3.x before 4.3.1. ↗
- →The attack vector involves injecting OS commands into a data structure located immediately after the overflowed buffer — monitor for unexpected OS command strings embedded in ZeroMQ v2 protocol message data. ↗
- →Only the ZeroMQ version 2 decoder is affected; deployments using only the version 1 decoder (e.g., zeromq3 as shipped with Red Hat Ceph Storage 2) are not vulnerable — scope detection to endpoints running libzmq 4.2.0 through 4.3.0. ↗
- →The vulnerability has been present since libzmq 4.2.0; inventory and alert on any process loading libzmq versions 4.2.0–4.3.0. ↗
- ·Fedora (as of the bug report) shipped zeromq 4.1.6 and was therefore not affected, despite being flagged initially — verify the exact installed version before treating a Fedora host as vulnerable. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
zeromq: Integer overflow in zmq::v2_decoder_t::size_ready
vendor_redhat·2019-01-08·CVSS 8.8
CVE-2019-6250 [HIGH] CWE-190 zeromq: Integer overflow in zmq::v2_decoder_t::size_ready
zeromq: Integer overflow in zmq::v2_decoder_t::size_ready
A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).
A pointer overflow flaw was found in ZeroMQ libzmq version 4.2.x and 4.3.x, prior to 4.3.1. An integer overflow allows an authenticated attac
Debian
CVE-2019-6250: zeromq3 - A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0M...
vendor_debian·2019·CVSS 8.8
CVE-2019-6250 [HIGH] CVE-2019-6250: zeromq3 - A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0M...
A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).
Scope: local
bookworm: resolved (fixed in 4.3.1-1)
bullseye: resolved (fixed in 4.3.1-1)
forky: resolved (fixed in 4.3.1-1)
sid: resolved (fixed in 4.3.1-1)
trixie: resolved (fixed in 4.3.1-1)
GHSA
GHSA-383h-xx34-hq84: A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4
ghsa_unreviewed·2022-05-14
CVE-2019-6250 [HIGH] CWE-190 GHSA-383h-xx34-hq84: A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4
A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).
OSV
CVE-2019-6250: A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4
osv·2019-01-13·CVSS 8.8
CVE-2019-6250 [HIGH] CVE-2019-6250: A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4
A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-6250 zeromq: Integer overflow in zmq::v2_decoder_t::size_ready [epel-all]
bugzilla·2019-01-14·CVSS 8.8
CVE-2019-6250 [HIGH] CVE-2019-6250 zeromq: Integer overflow in zmq::v2_decoder_t::size_ready [epel-all]
CVE-2019-6250 zeromq: Integer overflow in zmq::v2_decoder_t::size_ready [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versi
Bugzilla
CVE-2019-6250 zeromq: Integer overflow in zmq::v2_decoder_t::size_ready [fedora-all]
bugzilla·2019-01-14·CVSS 8.8
CVE-2019-6250 [HIGH] CVE-2019-6250 zeromq: Integer overflow in zmq::v2_decoder_t::size_ready [fedora-all]
CVE-2019-6250 zeromq: Integer overflow in zmq::v2_decoder_t::size_ready [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported v
Bugzilla
CVE-2019-6250 zeromq: Integer overflow in zmq::v2_decoder_t::size_ready
bugzilla·2019-01-14·CVSS 8.8
CVE-2019-6250 [HIGH] CVE-2019-6250 zeromq: Integer overflow in zmq::v2_decoder_t::size_ready
CVE-2019-6250 zeromq: Integer overflow in zmq::v2_decoder_t::size_ready
A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).
Upstream issue:
https://github.com/zeromq/libzmq/issues/3351
References:
https://github.com/zeromq/libzmq/releases/tag/v4.3.
arXiv
Attack of the Clones: Measuring the Maintainability, Originality and Security of Bitcoin 'Forks' in the Wild
arxiv_fulltext·2022-01-21
Attack of the Clones: Measuring the Maintainability, Originality and Security of Bitcoin 'Forks' in the Wild
Attack of the Clones: Measuring the Maintainability, Originality and Security of Bitcoin `Forks' in the Wild
Attack of the Clones
Jusop Choi1 Wonseok Choi1 William Aiken1 Hyoungshick Kim1 Jun Ho Huh2 Taesoo Kim3 Yongdae Kim4 Ross Anderson5
Jusop Choi et al.
Sungkyunkwan University, Republic of Korea Samsung Research, Republic of Korea Georgia Institute of Technology, USA Korea Advanced Institute of Science and Technology, Republic of Korea Cambridge University, UK
## Abstract
Since Bitcoin appeared in 2009, over 6,000 different cryptocurrency projects have followed. The cryptocurrency world may be the only technology where a massive number of competitors offer similar services yet claim unique benefits, including scalability, fast transactions, and security. But are these projects real
https://github.com/zeromq/libzmq/issues/3351https://github.com/zeromq/libzmq/releases/tag/v4.3.1https://security.gentoo.org/glsa/201903-22https://www.debian.org/security/2019/dsa-4368https://github.com/zeromq/libzmq/issues/3351https://github.com/zeromq/libzmq/releases/tag/v4.3.1https://security.gentoo.org/glsa/201903-22https://www.debian.org/security/2019/dsa-4368
2019-01-13
Published