#VU42961 Resource management error in Linux kernel - CVE-2013-2636

Cybersecurity Help s.r.o.

Published: 2013-03-22 | Updated: 2020-08-11

Vulnerability identifier: #VU42961

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2013-2636

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

net/bridge/br_mdb.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: 3.8.0 - 3.8.2

External links
https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c085c49920b2f900ba716b4ca1c1a55ece9872cc
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.4
https://www.openwall.com/lists/oss-security/2013/03/20/1
https://bugzilla.redhat.com/show_bug.cgi?id=923652
https://github.com/torvalds/linux/commit/c085c49920b2f900ba716b4ca1c1a55ece9872cc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Resource management error in Linux kernel