PT-2019-2186 · Atftp+3 · Atftp+3

Denis Andzakovic

Published

2019-04-14

Updated

2024-06-15

CVE-2019-11365

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions atftp version 0.7.1

Description A remote attacker may send a crafted packet to trigger a stack-based buffer overflow due to an insecurely implemented strncpy call. The issue is triggered by sending an error packet of 3 bytes or fewer. The vulnerable strncpy pattern is found within multiple files, including tftpd file.c, tftp file.c, tftpd mtftp.c, and tftp mtftp.c.

Recommendations For atftp version 0.7.1, consider restricting access to the atftpd service until a patch is available to prevent exploitation of the buffer overflow vulnerability. As a temporary workaround, avoid using the strncpy function in the affected code files until the issue is resolved.

Exploit

Fix

Buffer Overflow

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119CWE-787

Related Identifiers

ALT-PU-2020-3133

ALT-PU-2020-3153

ALT-PU-2022-2609

BDU:2019-01952

CVE-2019-11365

DLA-1783-1

DSA-4438-1

OPENSUSE-SU-2024:10636-1

SUSE-SU-2019:1091-1

SUSE-SU-2019:14033-1

SUSE-SU-2019_1091-1

SUSE-SU-2019_14033-1

USN-4540-1

USN-4643-1

Affected Products

Alt Linux

Suse

Ubuntu

Atftp

PT-2019-2186 · Atftp+3 · Atftp+3

CVE-2019-11365

Weakness Enumeration

Related Identifiers

Affected Products

References · 36