CVE-2019-5610

high-risk
Published 2019-08-30

In FreeBSD 12.0-STABLE before r350637, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350638, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bsnmp library is not properly validating the submitted length from a type-length-value encoding. A remote user could cause an out-of-bounds read or trigger a crash of the software such as bsnmpd resulting in a denial of service.

Do I need to act?

~
4.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Freebsd Netapp

References (10)

Patch http://packetstormsecurity.com/files/153959/FreeBSD-Security-Advisory-FreeBSD-SA...
Mailing List https://seclists.org/bugtraq/2019/Aug/6
Patch https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc
Patch https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc
Third Party Advisory https://security.netapp.com/advisory/ntap-20190910-0002/
Patch http://packetstormsecurity.com/files/153959/FreeBSD-Security-Advisory-FreeBSD-SA...
Mailing List https://seclists.org/bugtraq/2019/Aug/6
Patch https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc
Patch https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc
Third Party Advisory https://security.netapp.com/advisory/ntap-20190910-0002/
54
/ 100
high-risk
Severity 26/34 · High
Exploitability 7/34 · Low
Exposure 21/34 · High