CVE-2022-39377 sysstat Incorrect Buffer Size calculation on 32-bit systems results in RCE via buffer overflow

2022-11-0800:00:00

CWE-120

CWE-131

GitHub_M

www.cve.org

sysstat

buffer overflow

rce

32-bit

linux

patch

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.6%

JSON

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

CNA Affected

[
  {
    "vendor": "sysstat",
    "product": "sysstat",
    "versions": [
      {
        "version": ">= 9.1.16, < 12.7.1",
        "status": "affected"
      }
    ]
  }
]