// For flags

CVE-2011-0547

Symantec Veritas Storage Foundation vxsvc.exe Value Unpacking Integer Overflow Remote Code Execution Vulnerability

Severity Score

10.0
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple integer overflows in vxsvc.exe in the Veritas Enterprise Administrator service in Symantec Veritas Storage Foundation 5.1 and earlier, Veritas Storage Foundation Cluster File System (SFCFS) 5.1 and earlier, Veritas Storage Foundation Cluster File System Enterprise for Oracle RAC (SFCFSORAC) 5.1 and earlier, Veritas Dynamic Multi-Pathing (DMP) 5.1, and NetBackup PureDisk 6.5.x through 6.6.1.x allow remote attackers to execute arbitrary code via (1) a crafted Unicode string, related to the vxveautil.value_binary_unpack function; (2) a crafted ASCII string, related to the vxveautil.value_binary_unpack function; or (3) a crafted value, related to the vxveautil.kv_binary_unpack function, leading to a buffer overflow.

Múltiples desbordamientos de enteros en vxsvc.exe en el servicio VERITAS Enterprise Administrator en Symantec Veritas Storage Foundation v5.1 y anteriores, Veritas Storage Foundation Cluster File System (SFCFS) v5.1 y anteriores, Veritas Storage Foundation Cluster File Enterprise System de Oracle RAC (SFCFSORAC) v5.1 y anteriores, Veritas Dynamic Multi-Pathing (DMP) v5.1 y NetBackup PureDisk v6.5.x a v6.6.1.x permite a atacantes remotos ejecutar código de su elección a través de (1) una cadena Unicode modificada relacionada con la función vxveautil.value_binary_unpack, (2) una cadena ASCII debidamente modificada relacionada con la función vxveautil.value_binary_unpack, o (3) un valor determinado en la función vxveautil.kv_binary_unpack, que da lugar a un desbordamiento de búfer.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Veritas Storage Foundation Administrator Service. Authentication is not required to exploit this vulnerability.
The specific flaw exists within vxsvc.exe process. The problem affecting the part of the server running on tcp port 2148 is an integer overflow in the function vxveautil.kv_binary_unpack where a 32-bit field is used to allocate an amount of memory equal to its value plus 1. This can be made to miscalculate a heap buffer which can be subsequently overflowed allowing an attacker to execute arbitrary code under the context of SYSTEM.

*Credits: Luigi Auriemma
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2011-01-20 CVE Reserved
  • 2011-08-16 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-09-04 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-189: Numeric Errors
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Symantec
Search vendor "Symantec"
Veritas Dynamic Multi-pathing
Search vendor "Symantec" for product "Veritas Dynamic Multi-pathing"
5.1
Search vendor "Symantec" for product "Veritas Dynamic Multi-pathing" and version "5.1"
-
Affected
Symantec
Search vendor "Symantec"
Veritas Storage Foundation
Search vendor "Symantec" for product "Veritas Storage Foundation"
<= 5.1
Search vendor "Symantec" for product "Veritas Storage Foundation" and version " <= 5.1"
-
Affected
Symantec
Search vendor "Symantec"
Veritas Storage Foundation
Search vendor "Symantec" for product "Veritas Storage Foundation"
5.0
Search vendor "Symantec" for product "Veritas Storage Foundation" and version "5.0"
-
Affected
Symantec
Search vendor "Symantec"
Veritas Storage Foundation Cluster File System For Oracle Rac
Search vendor "Symantec" for product "Veritas Storage Foundation Cluster File System For Oracle Rac"
<= 5.1
Search vendor "Symantec" for product "Veritas Storage Foundation Cluster File System For Oracle Rac" and version " <= 5.1"
-
Affected
Symantec
Search vendor "Symantec"
Veritas Storage Foundation Cluster File System For Oracle Rac
Search vendor "Symantec" for product "Veritas Storage Foundation Cluster File System For Oracle Rac"
5.0
Search vendor "Symantec" for product "Veritas Storage Foundation Cluster File System For Oracle Rac" and version "5.0"
-
Affected
Symantec
Search vendor "Symantec"
Netbackup Puredisk
Search vendor "Symantec" for product "Netbackup Puredisk"
6.5.0.1
Search vendor "Symantec" for product "Netbackup Puredisk" and version "6.5.0.1"
-
Affected
Symantec
Search vendor "Symantec"
Netbackup Puredisk
Search vendor "Symantec" for product "Netbackup Puredisk"
6.5.1
Search vendor "Symantec" for product "Netbackup Puredisk" and version "6.5.1"
-
Affected
Symantec
Search vendor "Symantec"
Netbackup Puredisk
Search vendor "Symantec" for product "Netbackup Puredisk"
6.5.1.1
Search vendor "Symantec" for product "Netbackup Puredisk" and version "6.5.1.1"
-
Affected
Symantec
Search vendor "Symantec"
Netbackup Puredisk
Search vendor "Symantec" for product "Netbackup Puredisk"
6.5.1.2
Search vendor "Symantec" for product "Netbackup Puredisk" and version "6.5.1.2"
-
Affected
Symantec
Search vendor "Symantec"
Netbackup Puredisk
Search vendor "Symantec" for product "Netbackup Puredisk"
6.6.1
Search vendor "Symantec" for product "Netbackup Puredisk" and version "6.6.1"
-
Affected
Symantec
Search vendor "Symantec"
Netbackup Puredisk
Search vendor "Symantec" for product "Netbackup Puredisk"
6.6.1.1
Search vendor "Symantec" for product "Netbackup Puredisk" and version "6.6.1.1"
-
Affected
Symantec
Search vendor "Symantec"
Netbackup Puredisk
Search vendor "Symantec" for product "Netbackup Puredisk"
6.6.1.2
Search vendor "Symantec" for product "Netbackup Puredisk" and version "6.6.1.2"
-
Affected