CVE-2019-20503

usrsctp: Out of bounds reads in sctp_load_addresses_from_init()

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init.

usrsctp versiones anteriores al 20-12-2019, presenta lecturas fuera de límites en la función sctp_load_addresses_from_init.

The Mozilla Foundation Security Advisory describes this flaw as: The inputs to `sctp_load_addresses_from_init` are verified by `sctp_arethere_unrecognized_parameters`; however, the two functions handled parameter bounds differently, resulting in out of bounds reads when parameters are partially outside a chunk.

It was discovered that Message ID calculation was based on uninitialized data. An attacker could potentially exploit this to obtain sensitive information. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbitrary code. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-03-06 CVE Reserved
2020-03-06 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (40)

URL	Tag	Source
http://seclists.org/fulldisclosure/2020/May/49	Mailing List
http://seclists.org/fulldisclosure/2020/May/52	Mailing List
http://seclists.org/fulldisclosure/2020/May/55	Mailing List
http://seclists.org/fulldisclosure/2020/May/59	Mailing List
https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_18.html	Third Party Advisory
https://crbug.com/1059349	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00013.html	Mailing List
https://lists.debian.org/debian-lts-announce/2020/03/msg00023.html	Mailing List
https://lists.debian.org/debian-lts-announce/2023/07/msg00003.html	Mailing List
https://support.apple.com/HT211168	Third Party Advisory
https://support.apple.com/HT211171	Third Party Advisory
https://support.apple.com/HT211175	Third Party Advisory
https://support.apple.com/HT211177	Third Party Advisory
https://support.apple.com/kb/HT211168	Third Party Advisory
https://support.apple.com/kb/HT211171	Third Party Advisory
https://support.apple.com/kb/HT211175	Third Party Advisory
https://support.apple.com/kb/HT211177	Third Party Advisory

URL	Date	SRC
https://bugs.chromium.org/p/project-zero/issues/detail?id=1992	2024-08-05

URL	Date	SRC
https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467	2024-06-27

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00022.html	2024-06-27
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00028.html	2024-06-27
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00030.html	2024-06-27
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00037.html	2024-06-27
https://access.redhat.com/errata/RHSA-2020:0815	2024-06-27
https://access.redhat.com/errata/RHSA-2020:0816	2024-06-27
https://access.redhat.com/errata/RHSA-2020:0819	2024-06-27
https://access.redhat.com/errata/RHSA-2020:0820	2024-06-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DDNOAGIX5D77TTHT6YPMVJ5WTXTCQEI	2024-06-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57	2024-06-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWANFIR3PYAL5RJQ4AO3ZS2DYMSF2ZGZ	2024-06-27
https://security.gentoo.org/glsa/202003-02	2024-06-27
https://security.gentoo.org/glsa/202003-10	2024-06-27
https://usn.ubuntu.com/4299-1	2024-06-27
https://usn.ubuntu.com/4328-1	2024-06-27
https://usn.ubuntu.com/4335-1	2024-06-27
https://www.debian.org/security/2020/dsa-4639	2024-06-27
https://www.debian.org/security/2020/dsa-4642	2024-06-27
https://www.debian.org/security/2020/dsa-4645	2024-06-27
https://access.redhat.com/security/cve/CVE-2019-20503	2020-04-01
https://bugzilla.redhat.com/show_bug.cgi?id=1812203	2020-04-01

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Usrsctp Project Search vendor "Usrsctp Project"		Usrsctp Search vendor "Usrsctp Project" for product "Usrsctp"				< 0.9.4.0 Search vendor "Usrsctp Project" for product "Usrsctp" and version " < 0.9.4.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.10"		-		Affected