CVE-2019-7715

An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4. The main shell handler function uses the value of the environment variable ipcom.shell.greeting as the first argument to printf(). Setting this variable using the sysvar command results in a user-controlled format string during login, resulting in an information leak of memory addresses.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/bl4ckic3/GHS-Bugs	Third Party Advisory
https://www.ghs.com/products/rtos/integrity.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:ghs:integrity_rtos:5.0.4:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-03-26 02:29

Updated : 2023-12-10 12:59

NVD link : CVE-2019-7715

Mitre link : CVE-2019-7715

CVE.ORG link : CVE-2019-7715

JSON object : View

Products Affected

ghs

integrity_rtos

CWE

CWE-134

Use of Externally-Controlled Format String

{"id": "CVE-2019-7715", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-03-26T02:29:00.237", "references": [{"url": "https://github.com/bl4ckic3/GHS-Bugs", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.ghs.com/products/rtos/integrity.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-134"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4. The main shell handler function uses the value of the environment variable ipcom.shell.greeting as the first argument to printf(). Setting this variable using the sysvar command results in a user-controlled format string during login, resulting in an information leak of memory addresses."}, {"lang": "es", "value": "Se ha encontrado un problema en el servidor Interpeak IPCOMShell TELNET en Green Hills INTEGRITY RTOS 5.0.4. La funci\u00f3n principal de gesti\u00f3n de comandos shell utiliza el valor de la variable de entorno ipcom.shell.greeting como primer argumento en printf(). La configuraci\u00f3n de esta variable mediante el comando sysvar resulta en un cadena de formato controlada por el usuario en la fase de inicio de sesi\u00f3n, resultando en una fuga de informaci\u00f3n de direcciones de memoria."}], "lastModified": "2019-03-27T14:28:51.627", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:ghs:integrity_rtos:5.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0BF4035E-02BD-499A-AB23-346F1EC3A1AD"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}