Vulnerability Note VU#879386
Multiple buffer overflow vulnerabilities in QNX
Overview
Multiple buffer overflow vulnerabilities have been reported in QnX.
Description
QnX is an RTOS (Realtime Operating System). QnX is used in many different devices and industries, including, but not limited to,
According to this vulnerability report, the following commands contain buffer overflow vulnerabilities: /bin/du /bin/find /bin/lex /bin/mkdir /bin/rm /bin/serserv /bin/tcpserv /bin/termdef /bin/time /bin/unzip /bin/use /bin/wcc /bin/wcc386 /bin/wd /bin/wdisasm /bin/which /bin/wlib /bin/wlink /bin/wpp /bin/wpp386 /bin/wprof /bin/write /bin/wstrip |
Impact
A local attacker may be able to execute arbitrary code. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Alcatel | Not Affected | 12 Jun 2002 | 24 Sep 2002 |
| CNT | Not Affected | - | 17 Jun 2002 |
| Convedia Corporation | Not Affected | 13 Jun 2002 | 14 Jun 2002 |
| Cray Inc. | Not Affected | 12 Jun 2002 | 14 Jun 2002 |
| Cyclades Corporation | Not Affected | 13 Jun 2002 | 25 Jun 2002 |
| IBM | Not Affected | 12 Jun 2002 | 24 Sep 2002 |
| Inktomi Corporation | Not Affected | - | 14 Jun 2002 |
| Intrusion Inc. | Not Affected | 13 Jun 2002 | 19 Jun 2002 |
| Ishoni Networks | Not Affected | 13 Jun 2002 | 17 Jun 2002 |
| Juniper Networks | Not Affected | 12 Jun 2002 | 14 Jun 2002 |
| Lotus Software | Not Affected | 12 Jun 2002 | 14 Jun 2002 |
| NEC Corporation | Not Affected | 12 Jun 2002 | 21 Nov 2002 |
| Network Appliance | Not Affected | 12 Jun 2002 | 13 Jun 2002 |
| Network Computing Technologies | Not Affected | - | 14 Jun 2002 |
| Nortel Networks | Not Affected | 12 Jun 2002 | 18 Jul 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://online.securityfocus.com/archive/1/276553
- http://qdn.qnx.com/support/docs/qnx4/index.html
- http://www.securityfocus.com/bid/5000
- http://www.qnx.com
Credit
Thanks to Egor Egorov for reporting this vulnerability.
This document was written by Ian A Finlay.
Other Information
- CVE IDs: Unknown
- Date Public: 12 Jun 2002
- Date First Published: 11 Oct 2002
- Date Last Updated: 05 Aug 2003
- Severity Metric: 17.25
- Document Revision: 27
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.