FreeBSD : krfb -- Possible Denial of Service or code execution via integer overflow (be5421ab-1b56-11e4-a767-5453ed2e2b49)

high Nessus Plugin ID 76987

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Albert Aastals Cid reports :

krfb embeds libvncserver which embeds liblzo2, it contains various flaws that result in integer overflow problems.

This potentially allows a malicious application to create a possible denial of service or code execution. Due to the need to exploit precise details of the target architecture and threading it is unlikely that remote code execution can be achieved in practice.

Solution

Update the affected package.

See Also

https://marc.info/?l=kde-announce&m=140709940701878&w=2

http://www.nessus.org/u?c73a4038

Plugin Details

Severity: High

ID: 76987

File Name: freebsd_pkg_be5421ab1b5611e4a7675453ed2e2b49.nasl

Version: 1.6

Type: local

Published: 8/4/2014

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:krfb, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 8/3/2014

Vulnerability Publication Date: 8/3/2014

Reference Information

CVE: CVE-2014-4607