Re: Nmap new version past 7.70 due to CVE-2018-15173

[Fyodor <fyodor () nmap org>]

On Mon, Aug 27, 2018 at 5:55 PM Shashi Guruprasad <sguruprasad () fortinet com>
wrote:

> Hi Fyodor, or Daniel Miller,
>
>
>
> Would it be possible to release a new version of nmap for fix
> CVE-2018-15173? Qualys is reporting this vulnerability in our system
> despite installing 7.70-1. I can build from source, but it will mean that I
> will need to do this all the time in the future…

Hi Shashi.  Thanks for your mail.  Even though someone applied for a CVE
number for this, it's not actually a very serious issue.  Apparently some
systems are so low in resources that they can't handle our previous depth
limit in matching service banners to our service detection signatures.  On
one of those rare systems (we haven't been able to reproduce it on any of
our modern systems), a service you scan on a remote host could accidentally
or intentionally cause the Nmap scan to crash.  We have now reduced the
depth limit so that pretty much any system should be able to handle these
edge cases.

While this doesn't seem like much of a risk in itself, there is the issue
you noted that tools may now flag Nmap 7.70 and complain because of the CVE
number.  So maybe doing a new Nmap release would be the easiest way to
solve the problem.  We'll be keeping that option in mind, although we do
have some more features we'd like to add first if possible.

Cheers,
Fyodor

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/