Linux Kernel 3.0.94/3.4.60 IPv6 Socket IOCTL net/ipv6/ip6_fib.c fib6_add access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.3 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Linux Kernel 3.0.94/3.4.60. It has been declared as problematic. Affected is the function fib6_add of the file net/ipv6/ip6_fib.c of the component IPv6 Socket IOCTL Handler. The manipulation results in access control.
This vulnerability is reported as CVE-2013-6431. No exploit exists.
Applying a patch is advised to resolve this issue.
Details
A vulnerability was found in Linux Kernel 3.0.94/3.4.60 (Operating System). It has been classified as problematic. Affected is the function fib6_add of the file net/ipv6/ip6_fib.c of the component IPv6 Socket IOCTL Handler. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-264. This is going to have an impact on availability. CVE summarizes:
The fib6_add function in net/ipv6/ip6_fib.c in the Linux kernel before 3.11.5 does not properly implement error-code encoding, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for an IPv6 SIOCADDRT ioctl call.
The weakness was disclosed 09/11/2013 by Prasad J Pandit with Red Hat Security Response Team as Bug 1039054 as confirmed bug report (Bugzilla). The advisory is shared for download at bugzilla.redhat.com. The public release has been coordinated in cooperation with the vendor. This vulnerability is traded as CVE-2013-6431 since 11/04/2013. The attack needs to be approached locally. Required for exploitation is a authentication. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1068. The advisory points out:
It could occur while doing an ioctl(SIOCADDRT) call on an IPv6 socket. User would need to have CAP_NET_ADMIN privileges to perform such a call.
The vulnerability scanner Nessus provides a plugin with the ID 75251 (openSUSE Security Update : kernel (openSUSE-SU-2014:0204-1)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 195890 (Ubuntu Security Notification for Linux Vulnerabilities (USN-2049-1)).
Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. A possible mitigation has been published immediately after the disclosure of the vulnerability. The bug report contains the following remark:
This issue does not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. This issue affects the version of the kernel package as shipped with Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise MRG 2 may address this issue.
The vulnerability is also documented in the databases at X-Force (89490), Tenable (75251), SecurityFocus (BID 64137†), OSVDB (100797†) and Secunia (SA55606†). The entries VDB-11364 and VDB-65709 are pretty similar. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.5VulDB Meta Temp Score: 5.3
VulDB Base Score: 5.5
VulDB Temp Score: 5.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 75251
Nessus Name: openSUSE Security Update : kernel (openSUSE-SU-2014:0204-1)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 850566
OpenVAS Name: SuSE Update for kernel openSUSE-SU-2014:0204-1 (kernel)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: git.kernel.org
Timeline
09/11/2013 🔍09/11/2013 🔍
11/04/2013 🔍
11/29/2013 🔍
12/06/2013 🔍
12/06/2013 🔍
12/09/2013 🔍
12/12/2013 🔍
02/17/2014 🔍
06/04/2021 🔍
Sources
Vendor: kernel.orgAdvisory: Bug 1039054
Researcher: Prasad J Pandit
Organization: Red Hat Security Response Team
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2013-6431 (🔍)
GCVE (CVE): GCVE-0-2013-6431
GCVE (VulDB): GCVE-100-11472
OVAL: 🔍
X-Force: 89490
SecurityFocus: 64137 - Linux Kernel CVE-2013-6431 NULL Pointer Dereference Local Denial of Service Vulnerability
Secunia: 55606 - Linux Kernel Radiotap Header Processing Denial of Service Vulnerability, Less Critical
OSVDB: 100797
Vulnerability Center: 43299 - Linux Kernel before 3.11.5 Local DoS Vulnerability via CAP_NET_ADMIN, Medium
See also: 🔍
Entry
Created: 12/12/2013 15:34Updated: 06/04/2021 09:14
Changes: 12/12/2013 15:34 (80), 05/21/2017 14:03 (9), 06/04/2021 09:14 (3)
Complete: 🔍
Cache ID: 216:3D6:103
No comments yet. Languages: en.
Please log in to comment.