Login Sign Up

CVE-2023-4491

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in Easy Address Book Web Server 1.6 allows remote attackers to execute arbitrary code by sending an overly long username string via POST request to /searchbook.ghp. This affects all users running the vulnerable version of the software.

💻 Affected Systems

Products:
  • Easy Address Book Web Server
Versions: 1.6
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Easy Address Book Web Server by Easy Address Book Web Server Project

View all CVEs affecting Easy Address Book Web Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web server compromise, data exfiltration, and lateral movement within the network.

🟢

If Mitigated

Attack blocked at network perimeter or detected before successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires no authentication and exploitation appears straightforward based on the description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-efs-software-products

Restart Required: Yes

Instructions:

1. Check vendor advisory for patch availability. 2. If patch exists, download and install. 3. Restart the web server service. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate the vulnerable server from internet access and restrict internal network access.

Web Application Firewall

all

Deploy WAF rules to block requests with excessive username length to /searchbook.ghp endpoint.

🧯 If You Can't Patch

  • Immediately take the vulnerable server offline and replace with alternative software.
  • Implement strict network access controls to limit exposure to only necessary users.

🔍 How to Verify

Check if Vulnerable:

Check the software version in the application interface or installation directory. If version is 1.6, the system is vulnerable.

Check Version:

Check the application's about dialog or installation properties.

Verify Fix Applied:

Verify the software version has been updated to a patched version (if available) or that the server is no longer accessible.

📡 Detection & Monitoring

Log Indicators:

  • Unusually long username strings in web server logs
  • Multiple failed POST requests to /searchbook.ghp
  • Crash or restart of the web server process

Network Indicators:

  • POST requests to /searchbook.ghp with payloads exceeding normal username length
  • Unusual outbound connections from the web server

SIEM Query:

source="web_server" AND (uri="/searchbook.ghp" AND request_length>1000) OR (process="easyserver.exe" AND event="crash")

📊 Metadata

CVE ID: CVE-2023-4491
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: October 4, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4491, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)