Missing initialization of resource in Linux kernel

#VU61098 Missing initialization of resource in Linux kernel

Published: 2022-03-08

Vulnerability identifier: #VU61098

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3655

CWE-ID: CWE-909

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor:

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to missing initialization of resource in the Linux kernel when processing inbound SCTP packets. A remote attacker can send specially crafted SCTP packets to the system and force the kernel to read uninitialized memory.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://bugzilla.redhat.com/show_bug.cgi?id=1984024
http://lists.debian.org/debian-lts-announce/2021/10/msg00010.html
http://lists.debian.org/debian-lts-announce/2021/12/msg00012.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Google Android

Ubuntu update for linux

Ubuntu update for linux-oem-5.10

openEuler update for kernel

Information disclosure in Linux kernel SCTP subsystem