A vulnerability was found in ViaBTC Exchange Server (the affected version is unknown). It has been declared as critical. Affected by this vulnerability is an unknown code of the file network/nw_buf.c. The manipulation with an unknown input leads to a integer overflow vulnerability. The CWE definition for the vulnerability is CWE-190. The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

network/nw_buf.c in ViaBTC Exchange Server before 2018-08-21 has an integer overflow leading to memory corruption.

The bug was discovered 08/09/2018. The weakness was presented 09/26/2018 (Website). The advisory is shared at github.com. This vulnerability is known as CVE-2018-17569 since 09/26/2018. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are known, but no exploit is available.

The vulnerability was handled as a non-public zero-day exploit for at least 12 days. During that time the estimated underground price was around $0-$5k.

Upgrading eliminates this vulnerability. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

See 124514 and 124512 for similar entries.

Productinfo

Vendor

• ViaBTC

Name

• Exchange Server

License

• open-source

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion