#VU43082 Cryptographic issues in Linux kernel - CVE-2012-5374
Vulnerability identifier: #VU43082
Vulnerability risk: Medium
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-310
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (extended runtime of kernel code) by creating many different files whose names are associated with the same CRC32C hash value.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Linux kernel: 3.0 - 3.0.44, 3.1 - 3.1.10, 3.2 - 3.2.30, 3.3 - 3.3.8, 3.4 - 3.4.24, 3.5.1 - 3.5.7, 3.6.9 - 3.6.11, 3.7 - 3.7.9
External links
https://crypto.junod.info/2012/12/13/hash-dos-and-btrfs/
https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9c52057c698fb96f8f07e7a4bcf4801a092bda89
https://lists.opensuse.org/opensuse-security-announce/2013-03/msg00004.html
https://openwall.com/lists/oss-security/2012/12/13/20
https://www.kernel.org/pub/linux/kernel/v3.x/testing/patch-3.8-rc1.bz2
https://www.ubuntu.com/usn/USN-1944-1
https://www.ubuntu.com/usn/USN-1945-1
https://www.ubuntu.com/usn/USN-1946-1
https://www.ubuntu.com/usn/USN-1947-1
https://www.ubuntu.com/usn/USN-2017-1
https://github.com/torvalds/linux/commit/9c52057c698fb96f8f07e7a4bcf4801a092bda89
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
