Rule Category

SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.

Alert Message

SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt

Rule Explanation

This event is generated when an attempt to exploit CVE-2019-13132 is detected. Impact: Attempted User Privilege Gain Details: A stack-based buffer overflow exists in ZeroMQ libzmq due to improper validation of the 'INITIATE' command in 'curve_server.cpp'. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted packet to the vulnerable service. Successful exploitation could result in denial of service conditions, or execution of arbitrary code. Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

CVE Additional Information

CVE-2019-13132
In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.
Details
Severity Base Score9.8
Impact Score5.9 Exploit Score3.9
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactHIGH Attack VectorNETWORK
ScopeUNCHANGED User InteractionNONE
Authentication Ease of AccessLOW
Privileges RequiredNONE