Login Sign Up

CVE-2020-9760

9.8 CRITICAL
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in WeeChat IRC client versions 0.3.4 through 2.7 allows remote attackers to crash the application or potentially execute arbitrary code by sending specially crafted IRC messages with long nick prefixes. This affects all users running vulnerable versions of WeeChat who connect to IRC servers.

💻 Affected Systems

Products:
  • WeeChat
Versions: 0.3.4 through 2.7
Operating Systems: Linux, macOS, BSD, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All configurations using IRC plugin are vulnerable when connecting to IRC servers.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Weechat by Weechat

View all CVEs affecting Weechat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or installation of persistent backdoors.

🟠

Likely Case

Application crash (denial of service) when processing malicious IRC messages from untrusted servers.

🟢

If Mitigated

Limited to application crash if exploit attempts fail or are blocked by network controls.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely via IRC protocol without authentication.
🏢 Internal Only: MEDIUM - Requires connection to malicious or compromised IRC servers, which could occur internally.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted IRC 005 messages, which is straightforward for attackers controlling IRC servers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.1

Vendor Advisory: https://weechat.org/doc/security/

Restart Required: Yes

Instructions:

1. Update WeeChat to version 2.7.1 or later using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade weechat. 3. For source installation: download from weechat.org and compile. 4. Restart WeeChat after update.

🔧 Temporary Workarounds

Disconnect from untrusted IRC servers

all

Temporarily disconnect from IRC servers until patched to prevent exploitation.

/disconnect
/quit

Use network filtering

linux

Block or filter IRC traffic from untrusted sources using firewall rules.

iptables -A INPUT -p tcp --dport 6667 -j DROP
iptables -A INPUT -p tcp --dport 6697 -j DROP

🧯 If You Can't Patch

  • Disable IRC plugin entirely: /plugin unload irc
  • Use alternative IRC client until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check WeeChat version: /version. If version is between 0.3.4 and 2.7 inclusive, system is vulnerable.

Check Version:

/version

Verify Fix Applied:

Verify version is 2.7.1 or higher: /version should show 2.7.1+.

📡 Detection & Monitoring

Log Indicators:

  • WeeChat crash logs
  • Segmentation fault errors in system logs
  • Unexpected disconnections from IRC

Network Indicators:

  • Unusual IRC 005 messages with long parameters
  • IRC traffic from suspicious sources

SIEM Query:

source="weechat.log" AND ("segmentation fault" OR "crash" OR "buffer overflow")

📊 Metadata

CVE ID: CVE-2020-9760
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
Published: March 23, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9760, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)