CVE-2018-10195 – This vulnerability in lrzsz (a file transfer to... (How to Fix)

Q: What is the severity of CVE-2018-10195?

CVE-2018-10195 has a CVSS score of 7.1 (HIGH). This vulnerability in lrzsz (a file transfer tool) allows information leakage to the receiving side due to an integer overflow in the zsdata function. Attackers can exploit this to read unintended memory contents from the sending system. Anyone using vulnerable versions of lrzsz for file transfers is affected.

📋 TL;DR

This vulnerability in lrzsz (a file transfer tool) allows information leakage to the receiving side due to an integer overflow in the zsdata function. Attackers can exploit this to read unintended memory contents from the sending system. Anyone using vulnerable versions of lrzsz for file transfers is affected.

💻 Affected Systems

Products:

lrzsz

Versions: All versions before 0.12.21~rc

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where lrzsz is installed and used for file transfers. Many distributions ship lrzsz but it may not be actively used.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive memory contents (including passwords, keys, or other process data) could be leaked to an attacker-controlled receiving system during file transfers.

🟠

Likely Case

Partial memory disclosure of the sending process, potentially revealing sensitive information or system details that could aid further attacks.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to potential information disclosure within controlled environments.

🌐 Internet-Facing: MEDIUM - lrzsz is typically used for file transfers which may occur over internet connections, but requires specific usage patterns.

🏢 Internal Only: MEDIUM - Internal file transfers using vulnerable versions could leak sensitive data between systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the attacker to be the receiving side of an lrzsz file transfer session. No public exploit code has been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.21~rc and later

Vendor Advisory: http://www.ohse.de/uwe/software/lrzsz.html

Restart Required: No

Instructions:

1. Update lrzsz package using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install lrzsz. 3. For RHEL/CentOS: sudo yum update lrzsz. 4. For source installations: Download and compile version 0.12.21~rc or later from the official site.

🔧 Temporary Workarounds

Disable lrzsz usage

linux

Replace lrzsz with alternative secure file transfer methods like scp, sftp, or rsync over SSH.

# Remove lrzsz package: sudo apt remove lrzsz
# Or: sudo yum remove lrzsz

Network restrictions

linux

Restrict network access to systems using lrzsz to trusted networks only.

# Example iptables rule: sudo iptables -A INPUT -p tcp --dport 115 -s ! trusted_network -j DROP

🧯 If You Can't Patch

Replace lrzsz with alternative secure file transfer tools like scp or sftp.
Isolate systems using lrzsz to segmented network zones with strict access controls.

🔍 How to Verify

Check if Vulnerable:

Check lrzsz version: lrz --version or check package version with your package manager.

Check Version:

lrz --version 2>/dev/null || sz --version 2>/dev/null || dpkg -l lrzsz 2>/dev/null || rpm -q lrzsz 2>/dev/null

Verify Fix Applied:

Verify installed version is 0.12.21~rc or later: lrz --version | grep -E '0\.12\.21|0\.12\.22|0\.12\.23'

📡 Detection & Monitoring

Log Indicators:

Unusual file transfer patterns using lrzsz
Multiple failed or abnormal lrzsz sessions

Network Indicators:

Port 115 (default lrzsz port) traffic to untrusted destinations
Unusual data patterns in lrzsz protocol traffic

SIEM Query:

source_port:115 OR dest_port:115 AND (protocol:lrzsz OR process_name:lrz OR process_name:sz)

📊 Metadata

CVE ID: CVE-2018-10195

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-190

Published: June 2, 2021

Last Updated: November 21, 2024

🔗 References

http://www.ohse.de/uwe/software/lrzsz.html Release Notes,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1572058 Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00027.html Issue Tracking,Mailing List,Third Party Advisory
https://lists.suse.com/pipermail/sle-security-updates/2018-April/003955.html?_ga=2.81625751.1026327980.1622040648-1950393542.1547130931 Mailing List,Third Party Advisory
https://lists.suse.com/pipermail/sle-security-updates/2018-April/003956.html?_ga=2.81625751.1026327980.1622040648-1950393542.1547130931 Mailing List,Third Party Advisory
http://www.ohse.de/uwe/software/lrzsz.html Release Notes,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1572058 Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00027.html Issue Tracking,Mailing List,Third Party Advisory
https://lists.suse.com/pipermail/sle-security-updates/2018-April/003955.html?_ga=2.81625751.1026327980.1622040648-1950393542.1547130931 Mailing List,Third Party Advisory
https://lists.suse.com/pipermail/sle-security-updates/2018-April/003956.html?_ga=2.81625751.1026327980.1622040648-1950393542.1547130931 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-10195, you might also want to check these: