[SB 20.06] RCE in TwistedWeb - Webserver (CVE-2020-10109)

Eine Sicherheitsl├╝cke in TwistedWeb bis einschl. Version 19.10.0 erlaubt das Einschleusen von Befehlen (Remote Code Execution).

Der Webserver ist embedded in vielen Devices zu finden, u.a. Synology NAS

Wir empfehlen dringend, Patches einzuspielen oder entsprechende Installationen vom Internet zu trennen.

[+] CVE is new   CVE-2020-10109 : 9.8 : CRITICAL
 Vendors  : twistedmatrix 
 Products : twisted
 Vector   : NETWORK
 Desc     : In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
 CVSS     : 
    'confidentialityImpact': 'HIGH', 
    'privilegesRequired': 'NONE', 
    'baseSeverity': 'CRITICAL', 
    'baseScore': 9.8, 
    'availabilityImpact': 'HIGH', 
    'integrityImpact': 'HIGH', 
    'attackVector': 'NETWORK', 
    'userInteraction': 'NONE', 
    'attackComplexity': 'LOW'

Referenzen





Fragen? Kontakt: info@zero.bs