linupnp 1.6.18

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Update to version 1.6.18 (bnc#801061)

  + Security fix for CERT issue VU#922681 This patch     addresses three possible buffer overflows in function     unique_service_name(). The three issues have the     folowing CVE numbers: CVE-2012-5958 Issue #2:
    Stack-based buffer overflow of Tempbuf CVE-2012-5959     Issue #4: Stack-based buffer overflow of Event->UDN     CVE-2012-5960 Issue #8: Stack-based buffer overflow of     Event->UDN

  + Notice that the following issues have already been dealt     by previous work: CVE-2012-5961 Issue #1: Stack-based     buffer overflow of Evt->UDN CVE-2012-5962 Issue #3:
    Stack-based buffer overflow of Evt->DeviceType     CVE-2012-5963 Issue #5: Stack-based buffer overflow of     Event->UDN CVE-2012-5964 Issue #6: Stack-based buffer     overflow of Event->DeviceType CVE-2012-5965 Issue #7:
    Stack-based buffer overflow of Event->DeviceType

According to its banner, the version of Portable SDK for UPnP Devices (libupnp) running on the remote host is prior to 1.6.18. It is, therefore, affected by multiple remote code execution vulnerabilities :

  - A stack-based buffer overflow condition exists in the     unique_service_name() function within file     ssdp/ssdp_server.c when handling Simple Service     Discovery Protocol (SSDP) requests that is triggered     while copying the DeviceType URN. An unauthenticated,     remote attacker can exploit this, via a specially     crafted SSDP request, to execute arbitrary code.
    (CVE-2012-5958)

  - A stack-based buffer overflow condition exists in the     unique_service_name() function within file     ssdp/ssdp_server.c when handling Simple Service     Discovery Protocol (SSDP) requests that is triggered     while copying the UDN prior to two colons. An     unauthenticated, remote attacker can exploit this, via a     specially crafted SSDP request, to execute arbitrary     code. (CVE-2012-5959)

  - A stack-based buffer overflow condition exists in the     unique_service_name() function within file     ssdp/ssdp_server.c when handling Simple Service     Discovery Protocol (SSDP) requests that is triggered     while copying the UDN prior to the '::upnp:rootdevice'     string. An unauthenticated, remote attacker can exploit     this, via a specially crafted SSDP request, to execute     arbitrary code. (CVE-2012-5960)

  - Multiple stack-based buffer overflow conditions exist in     the unique_service_name() function within file     ssdp/ssdp_server.c due to improper validation of the     UDN, DeviceType, and ServiceType fields when parsing     Simple Service Discovery Protocol (SSDP) requests. An     unauthenticated, remote attacker can exploit these     issues, via a specially crafted SSDP request, to execute     arbitrary code. (CVE-2012-5961, CVE-2012-5962,     CVE-2012-5963, CVE-2012-5964, CVE-2012-5965)

libupnp 1.6.18

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Unbundle libupnp.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Project changelog reports :

This patch addresses three possible buffer overflows in function unique_service_name().The three issues have the folowing CVE numbers :

- CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf

- CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN

- CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN

Notice that the following issues have already been dealt by previous work :

- CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN

- CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType

- CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN

- CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType

- CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType

Multiple stack-based buffer overflows were discovered in libupnp, a library used for handling the Universal Plug and Play protocol. HD Moore from Rapid7 discovered that SSDP queries where not correctly handled by the unique_service_name() function.

An attacker sending carefully crafted SSDP queries to a daemon built on libupnp could generate a buffer overflow, overwriting the stack, leading to the daemon crash and possible remote code execution.

Multiple stack-based buffer overflows were discovered in libupnp4, a library used for handling the Universal Plug and Play protocol. HD Moore from Rapid7 discovered that SSDP queries where not correctly handled by the unique_service_name() function.

An attacker sending carefully crafted SSDP queries to a daemon built on libupnp4 could generate a buffer overflow, overwriting the stack, leading to the daemon crash and possible remote code execution.

Updated libupnp packages fix security vulnerabilities :

The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet (CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965).

ID	Name	Product	Family	Published	Updated	Severity
64597	Fedora 16 : libupnp-1.6.18-1.fc16 (2013-1713)	Nessus	Fedora Local Security Checks	2/13/2013	1/11/2021	critical
75214	openSUSE Security Update : libupnp (openSUSE-SU-2013:0255-1)	Nessus	SuSE Local Security Checks	6/13/2014	1/19/2021	critical
64394	Portable SDK for UPnP Devices (libupnp) < 1.6.18 Multiple Stack-based Buffer Overflows RCE	Nessus	Gain a shell remotely	2/1/2013	3/2/2020	critical
64600	Fedora 17 : libupnp-1.6.18-1.fc17 (2013-1734)	Nessus	Fedora Local Security Checks	2/13/2013	1/11/2021	critical
64736	Fedora 18 : mediatomb-0.12.1-23.fc18 (2013-2377)	Nessus	Fedora Local Security Checks	2/21/2013	1/11/2021	critical
64374	FreeBSD : upnp -- multiple vulnerabilities (2ea6ce3d-6afd-11e2-9d4e-bcaec524bf84)	Nessus	FreeBSD Local Security Checks	1/31/2013	1/6/2021	critical
64395	Debian DSA-2614-1 : libupnp - several vulnerabilities	Nessus	Debian Local Security Checks	2/4/2013	1/11/2021	critical
64601	Fedora 18 : libupnp-1.6.18-1.fc18 (2013-1765)	Nessus	Fedora Local Security Checks	2/13/2013	1/11/2021	critical
64396	Debian DSA-2615-1 : libupnp4 - several vulnerabilities	Nessus	Debian Local Security Checks	2/4/2013	1/11/2021	critical
64735	Fedora 17 : mediatomb-0.12.1-23.fc17 (2013-2352)	Nessus	Fedora Local Security Checks	2/21/2013	1/11/2021	critical
66110	Mandriva Linux Security Advisory : libupnp (MDVSA-2013:098)	Nessus	Mandriva Local Security Checks	4/20/2013	1/6/2021	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical