Vulnerability 037/2017
Critical vulnerabilities in Wget
26.10.2017 klo 18:23 - Updated 26.10.2017 klo 21:37
GNU Wget has fixed two vulnerabilities that may allow an attacker to execute arbitrary commands in the target system.
GNU Wget is a common Unix utility to retrieve remote files. Wget contains two vulnerabilities, a stack overflow and a heap overflow, in the handling of HTTP chunked encoding. By convincing a user to download a specific link over HTTP, an attacker may be able to execute arbitrary code with the privileges of the user.
Vulnerability coordination
The vulnerabilities were found by Antti Levomäki, Christian Jalio, and Joonas Pihlaja from Forcepoint. NCSC-FI would like to thank Forcepoint, the GNU Wget project and members of the distros list for participating in the coordination.
- Servers and server applications
- Workstations and end-user applications
- Network devices
- Mobile communications systems
- Embedded systems
- Others
Target
- Servers and server applications
- Workstations and end-user applications
Attack vector
- Remote
Impact
- Execution of arbitrary commands
Remediation
- Software update patch
Vulnerable software:
- GNU Wget prior to version 1.19.2
Possible solutions and restrictive measures:
Update the vulnerable components according to vendor instructions.
Contact Information
NCSC-FI Vulnerability Coorination can be contacted as follows:
Email: vulncoord@ficora.fi
Please quote the advisory reference [FICORA #1010111] in the subject line.
Telephone:
+358 295 390 230
Monday - Friday 08:00 – 16:15 (EET: UTC+2)
Post:
Vulnerability Coordination
FICORA / NCSC-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND
NCSC-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at https://www.viestintavirasto.fi/en/informationsecurity/ficorasinformationsecurityservices/vulnerabilitycoordination.html
Further information:
- http://git.savannah.gnu.org/cgit/wget.git/tag/?h=v1.19.2
- http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f
- http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba
- https://access.redhat.com/security/cve/cve-2017-13089
- https://security-tracker.debian.org/tracker/CVE-2017-13089
- https://archives.gentoo.org/gentoo-commits/message/09c04042112290fca2b1912080ae9933
- CVE-2017-13089
- CVE-2017-13090
Update history
-
26.10.2017 time 18:23Julkaistu
-
26.10.2017 time 21:37Added links to updates
The Finnish Communications Regulatory Authority (FICORA)
The National Cyber Security Centre Finland (NCSC-FI)
Itämerenkatu 3 A
P.O. Box 313
FI-00180 HELSINKI
Media contacts by telephone +358 295 390 248