Memory corruption in Linux kernel - CVE-2015-4004
Published: June 8, 2015 / Updated: December 12, 2022
Vulnerability identifier: #VU92801
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2015-4004
CWE-ID: CWE-119
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to access sensitive information or perform a denial of service (DoS) attack.
The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet.
How to mitigate CVE-2015-4004
Install update from vendor's repository.
Sources
- http://openwall.com/lists/oss-security/2015/06/05/7
- https://lkml.org/lkml/2015/5/13/739
- http://www.ubuntu.com/usn/USN-3000-1
- http://www.ubuntu.com/usn/USN-2998-1
- http://www.ubuntu.com/usn/USN-3002-1
- http://www.ubuntu.com/usn/USN-3003-1
- http://www.ubuntu.com/usn/USN-3001-1
- http://www.ubuntu.com/usn/USN-3004-1
- http://www.ubuntu.com/usn/USN-2989-1
- http://www.securityfocus.com/bid/74669