CVE-2008-1552: Buffer Overflow
First published: Mon Mar 31 2008(Updated: )
The silc_pkcs1_decode function in the silccrypt library (silcpkcs1.c) in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.7, SILC Client before 1.1.4, and SILC Server before 1.1.2 allows remote attackers to execute arbitrary code via a crafted PKCS#1 message, which triggers an integer underflow, signedness error, and a buffer overflow. NOTE: the researcher describes this as an integer overflow, but CVE uses the "underflow" term in cases of wraparound from unsigned subtraction.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Silc Toolkit | <=1.1.6 | |
| SILC Client | <=1.1.3 | |
| SILC silc-server | <=1.1.2 | |
| Fedora | =7 | |
| Fedora | =8 | |
| SILC silc-server |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.coresecurity.com/?action=item&id=2206
- http://silcnet.org/general/news/?item=client_20080320_1
- http://silcnet.org/general/news/?item=server_20080320_1
- http://silcnet.org/general/news/?item=toolkit_20080320_1
- http://www.securityfocus.com/bid/28373
- http://www.securitytracker.com/id?1019690
- http://secunia.com/advisories/29463
- http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html
- http://secunia.com/advisories/29622
- http://securityreason.com/securityalert/3795
- http://security.gentoo.org/glsa/glsa-200804-27.xml
- http://secunia.com/advisories/29946
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:158
- http://secunia.com/advisories/29465
- https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00538.html
- https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00513.html
- http://www.vupen.com/english/advisories/2008/0974/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41474
- http://www.securityfocus.com/archive/1/490069/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2008-1552?
CVE-2008-1552 has been rated as a critical severity vulnerability due to its ability to allow remote code execution.
How do I fix CVE-2008-1552?
To fix CVE-2008-1552, upgrade to Secure Internet Live Conferencing (SILC) Toolkit version 1.1.7 or later, SILC Client version 1.1.4 or later, and SILC Server version 1.1.2 or later.
What software is affected by CVE-2008-1552?
CVE-2008-1552 affects SILC Toolkit versions prior to 1.1.7, SILC Client versions prior to 1.1.4, and SILC Server versions prior to 1.1.2.
What types of attacks can CVE-2008-1552 enable?
CVE-2008-1552 can enable remote attackers to execute arbitrary code through crafted PKCS#1 messages.
Is there a workaround for CVE-2008-1552 if I cannot immediately upgrade?
There are no known workarounds for CVE-2008-1552; upgrading to the fixed versions is the recommended solution.
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/author
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/silc
- canonical/silc toolkit
- version/silc toolkit/1.1.6
- canonical/silc client
- version/silc client/1.1.3
- canonical/silc silc-server
- version/silc silc-server/1.1.2
- vendor/redhat
- canonical/fedora
- version/fedora/7
- version/fedora/8