CVE-2017-11757

moderate-risk
Published 2017-07-31

Heap-based buffer overflow in Actian Pervasive PSQL v12.10 and Zen v13 allows remote attackers to execute arbitrary code via crafted traffic to TCP port 1583. The overflow occurs after Server-Client encryption-key exchange. The issue results from an integer underflow that leads to a zero-byte allocation. The _srvLnaConnectMP1 function is affected.

Do I need to act?

~
3.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Pervasive Psql
Zen

Affected Vendors

Actian

References (6)

Vendor Advisory http://supportservices.actian.com/support-services/security-center#announcements
Exploit https://blogs.securiteam.com/index.php/archives/2924
Third Party Advisory https://twitter.com/SecuriTeam_SSD/status/815567538318954496
Vendor Advisory http://supportservices.actian.com/support-services/security-center#announcements
Exploit https://blogs.securiteam.com/index.php/archives/2924
Third Party Advisory https://twitter.com/SecuriTeam_SSD/status/815567538318954496
46
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 7/34 · Low
Exposure 7/34 · Low