#VU42535 Cryptographic issues in Linux kernel - CVE-2013-4350
Vulnerability identifier: #VU42535
Vulnerability risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-310
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Linux kernel: 3.0 - 3.0.68, 3.1 - 3.11.1, 3.2 - 3.2.30, 3.3 - 3.3.8, 3.4 - 3.4.32, 3.5.1 - 3.5.7, 3.6 - 3.6.11, 3.7 - 3.7.10, 3.8.0 - 3.8.13, 3.9 - 3.9.11
External links
https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=95ee62083cb6453e056562d91f597552021e6ae7
https://rhn.redhat.com/errata/RHSA-2013-1490.html
https://www.openwall.com/lists/oss-security/2013/09/13/3
https://www.ubuntu.com/usn/USN-2019-1
https://www.ubuntu.com/usn/USN-2021-1
https://www.ubuntu.com/usn/USN-2022-1
https://www.ubuntu.com/usn/USN-2024-1
https://www.ubuntu.com/usn/USN-2038-1
https://www.ubuntu.com/usn/USN-2039-1
https://www.ubuntu.com/usn/USN-2041-1
https://www.ubuntu.com/usn/USN-2045-1
https://www.ubuntu.com/usn/USN-2049-1
https://www.ubuntu.com/usn/USN-2050-1
https://bugzilla.redhat.com/show_bug.cgi?id=1007872
https://github.com/torvalds/linux/commit/95ee62083cb6453e056562d91f597552021e6ae7
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
