SB2013120203 - Amazon Linux AMI update for kernel

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2013120203

SB2013120203 - Amazon Linux AMI update for kernel

Published: December 2, 2013

Security Bulletin ID SB2013120203
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Resource management error (CVE-ID: CVE-2013-4348)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-4470)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.


Remediation

Install update from vendor's website.

References