wicked: Use-after-free when receiving invalid DHCP6 IA_PD option
CVE-2019-18903

7.5HIGH

Key Information:

Vendor: Suse
Status: Suse Linux Enterprise Server 12; Suse Linux Enterprise Server 15; Leap 15.1; Factory
Vendor: CVE Published:; 2 March 2020

Summary

A Use After Free vulnerability in wicked of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15; openSUSE Leap 15.1, Factory allows remote attackers to cause DoS or potentially code execution. This issue affects: SUSE Linux Enterprise Server 12 wicked versions prior to 0.6.60-2.18.1. SUSE Linux Enterprise Server 15 wicked versions prior to 0.6.60-28.26.1. openSUSE Leap 15.1 wicked versions prior to 0.6.60-lp151.2.9.1. openSUSE Factory wicked versions prior to 0.6.62.

Affected Version(s)

Factory wicked < 0.6.62

Leap 15.1 wicked < 0.6.60-lp151.2.9.1

SUSE Linux Enterprise Server 12 wicked < 0.6.60-2.18.1

References

https://bugzilla.suse.com/show_bug.cgi?id=1160904

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 2, 2020
Vulnerability Reserved
Nov 12, 2019

Credit

Malte Kraus