CVE-2020-27638 : receive.c in fastd before v21 allows denial of service (assertion failure) when

receive.c in fastd before v21 allows denial of service (assertion failure) when receiving packets with an invalid type code.

Published 2020-10-22 13:15:16

Updated 2022-04-28 18:23:57

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2020-27638

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 31
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fastd Project » Fastd
Versions before (<) 21.0
cpe:2.3:a:fastd_project:fastd:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

1.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 76 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE-617 Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Assigned by: nvd@nist.gov (Primary)

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSMH65GHKHMJAK2VMPROIPIUS4IA63CW/

[SECURITY] Fedora 31 Update: fastd-21-1.fc31 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://github.com/NeoRaider/fastd/commit/737925113363b6130879729cdff9ccc46c33eaea

receive: fix buffer leak when receiving invalid packets · NeoRaider/fastd@7379251 · GitHub
Patch;Third Party Advisory
https://fastd.readthedocs.io/en/stable/releases/v21.html

fastd v21 — fastd 21 documentation
Broken Link;Release Notes;Third Party Advisory
https://bugs.debian.org/972521

#972521 - fastd: CVE-2020-27638: DoS'able memory leak on invalid packets - Debian Bug report logs
Issue Tracking;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUZ3AGTAXH7OOP45F5WXBVRQ3IDWUR7M/

[SECURITY] Fedora 32 Update: fastd-21-1.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2LNSF2LI4RQ7BVGHTJQUJWP7RVGHDTK/

[SECURITY] Fedora 33 Update: fastd-21-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/10/msg00025.html

[SECURITY] [DLA-2414-1] fastd security update
Mailing List;Third Party Advisory

Jump to