CVE-2018-25423 Overview
CVE-2018-25423 is a buffer overflow vulnerability in Arm Whois 3.11, a Windows-based WHOIS lookup utility distributed by ArmCode. The flaw allows a local attacker to crash the application by submitting an oversized input string of approximately 700 bytes into the IP address or domain input field. The condition results in a denial of service against the running process. The weakness is classified under CWE-120: Buffer Copy without Checking Size of Input. No authentication or user interaction beyond local interaction with the affected client is required to trigger the crash.
Critical Impact
A local attacker can crash Arm Whois 3.11 by pasting a 700-byte payload into the lookup field, producing a reliable denial of service against the application.
Affected Products
- ArmCode Arm Whois 3.11 (Windows desktop client)
- Distributions obtained from the official ArmCode download URL arm-whois.exe
- Any deployment of Arm Whois 3.11 reachable by an interactive local user
Discovery Timeline
- 2026-05-30 - CVE-2018-25423 published to the National Vulnerability Database
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2018-25423
Vulnerability Analysis
The vulnerability resides in the input handling logic of the Arm Whois 3.11 client. The application accepts user-supplied text in the IP address or domain field without enforcing length boundaries on the destination buffer. When a string of roughly 700 bytes is pasted into that field and processed, memory beyond the allocated buffer is overwritten. The corrupted memory causes the process to terminate, producing a denial of service. The flaw is local in scope because exploitation requires interactive use of the desktop client.
Root Cause
The root cause is a missing length check before copying user input into a fixed-size stack buffer. The application copies the entire pasted string into the buffer without validating that the input length is less than or equal to the destination size. This pattern matches the classic [CWE-120] buffer copy without input size checking. Because the WHOIS client is a client-side utility, the unchecked copy occurs before any network request is issued, so the crash is reproducible offline.
Attack Vector
An attacker with local access to a workstation running arm-whois.exe pastes a 700-byte string into the IP or domain input field and submits the lookup. The oversized input overflows the internal buffer and crashes the process. The impact is limited to availability of the WHOIS client, as documented by the public Exploit-DB entry Exploit-DB #45762 and the VulnCheck Advisory for Arm-WHOIS. No code execution, integrity impact, or confidentiality impact has been demonstrated. The vulnerability stems from absent boundary checking and is reachable through the default user interface, requiring no special privileges.
Detection Methods for CVE-2018-25423
Indicators of Compromise
- Unexpected termination of arm-whois.exe on user endpoints, often correlated with a Windows Error Reporting (WER) crash event.
- Application Error events in the Windows Event Log referencing arm-whois.exe with an access violation exception (0xC0000005).
- Repeated relaunches of the WHOIS client within a short time window on the same host.
Detection Strategies
- Monitor for crash events generated by arm-whois.exe in Windows Event Log channels Application and Microsoft-Windows-WER.
- Correlate process termination telemetry with the presence of oversized clipboard or input data shortly before the crash.
- Inventory endpoints to identify installations of Arm Whois 3.11 using software asset management or EDR file metadata queries.
Monitoring Recommendations
- Track execution and crash frequency of arm-whois.exe across managed endpoints.
- Alert on repeated faults in the same process within short windows to surface intentional abuse.
- Maintain a software inventory rule that flags any host running Arm Whois 3.11 so remediation can be prioritized.
How to Mitigate CVE-2018-25423
Immediate Actions Required
- Identify all endpoints with arm-whois.exe version 3.11 installed using software inventory tools.
- Remove or block execution of the Arm Whois 3.11 client until a fixed build is available from the vendor.
- Restrict use of the application to non-privileged user accounts and avoid pasting untrusted content into its input fields.
Patch Information
No vendor-issued security patch is referenced in the available advisories. The VulnCheck Advisory for Arm-WHOIS and the ArmCode Official Website should be checked for an updated release. Until a fixed version is published, treat Arm Whois 3.11 as unsupported and avoid installing it on production endpoints.
Workarounds
- Uninstall Arm Whois 3.11 and substitute a maintained WHOIS client or use built-in command-line tooling.
- Block execution of arm-whois.exe through Windows Defender Application Control (WDAC) or AppLocker policies.
- Apply least-privilege controls so the application cannot be executed by service or shared accounts.
# Example AppLocker rule to deny execution of arm-whois.exe (PowerShell)
New-AppLockerPolicy -RuleType Path -User Everyone -Action Deny \
-FilePath "%PROGRAMFILES%\ArmCode\Arm Whois\arm-whois.exe" \
-RuleNamePrefix "Block-ArmWhois-CVE-2018-25423"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
