CVE-2017-13090 : What You Need to Know

CVE-2017-13090, published on October 27, 2017, addresses a heap overflow vulnerability in GNU Wget versions prior to 1.19.2. The vulnerability allows attackers to manipulate malloc metadata following the allocated buffer.

Understanding CVE-2017-13090

What is CVE-2017-13090?

In versions of GNU Wget prior to 1.19.2, a heap overflow vulnerability exists in the HTTP protocol handling. This vulnerability enables attackers to fully control the length argument passed to the function fd_read(), potentially leading to malicious activities.

The Impact of CVE-2017-13090

The vulnerability has a CVSS base score of 8.8, indicating a high severity level. It affects confidentiality, integrity, and availability, with no privileges required for exploitation.

Technical Details of CVE-2017-13090

Vulnerability Description

When processing OK responses, the function retr.c:fd_read_body() is invoked. In affected versions, the chunk parser fails to verify that the chunk length is a non-negative number, allowing attackers to control the length argument passed to fd_read().

Affected Systems and Versions

Product: Wget
Vendor: GNU Project
Versions Affected: Prior to 1.19.2

Exploitation Mechanism

Attack Complexity: Low
Attack Vector: Network
User Interaction: Required
Scope: Unchanged
Exploitation of the vulnerability requires no privileges and can result in a complete compromise of the affected system.

Mitigation and Prevention

Immediate Steps to Take

Apply the patch to Wget version 1.19.2 or an equivalent version from your operating system distribution.

Long-Term Security Practices

Regularly update software and apply security patches promptly.
Implement network security measures to detect and prevent malicious activities.

Patching and Updates

Ensure timely installation of security updates and patches to mitigate known vulnerabilities.