#VU92801 Memory corruption in Linux kernel - CVE-2015-4004

Cybersecurity Help s.r.o.

Published: 2015-06-08 | Updated: 2022-12-12

Vulnerability identifier: #VU92801

Vulnerability risk: Low

CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-4004

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a remote non-authenticated attacker to access sensitive information or perform a denial of service (DoS) attack.

The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet.

Mitigation
Install update from vendor's repository.

Vulnerable software versions

Linux kernel: All versions

External links
https://openwall.com/lists/oss-security/2015/06/05/7
https://lkml.org/lkml/2015/5/13/739
https://www.ubuntu.com/usn/USN-3000-1
https://www.ubuntu.com/usn/USN-2998-1
https://www.ubuntu.com/usn/USN-3002-1
https://www.ubuntu.com/usn/USN-3003-1
https://www.ubuntu.com/usn/USN-3001-1
https://www.ubuntu.com/usn/USN-3004-1
https://www.ubuntu.com/usn/USN-2989-1
https://www.securityfocus.com/bid/74669

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Memory corruption in Linux kernel