CVE-2019-20503

moderate-risk
Published 2020-03-06

usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init.

Do I need to act?

~
2.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (7)

Usrsctp

Affected Vendors

Debian Canonical Usrsctp Project

References (76)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00022.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00028.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00030.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00037.html
Mailing List http://seclists.org/fulldisclosure/2020/May/49
Mailing List http://seclists.org/fulldisclosure/2020/May/52
Mailing List http://seclists.org/fulldisclosure/2020/May/55
Mailing List http://seclists.org/fulldisclosure/2020/May/59
Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0815
Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0816
Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0819
Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0820
Exploit https://bugs.chromium.org/p/project-zero/issues/detail?id=1992
Third Party Advisory https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_...
Third Party Advisory https://crbug.com/1059349
Patch https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b49684...
Mailing List https://lists.debian.org/debian-lts-announce/2020/03/msg00013.html
Mailing List https://lists.debian.org/debian-lts-announce/2020/03/msg00023.html
Mailing List https://lists.debian.org/debian-lts-announce/2023/07/msg00003.html
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
and 56 more references
44
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 6/34 · Minimal
Exposure 14/34 · Moderate