Linux Kernel up to 3.8 net/core/sock_diag.c _sock_diag_rcv_msg input validation
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.4 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, has been found in Linux Kernel up to 3.8. The affected element is the function _sock_diag_rcv_msg of the file net/core/sock_diag.c. Performing a manipulation results in input validation.
This vulnerability is reported as CVE-2013-1763. Moreover, an exploit is present.
To fix this issue, it is recommended to deploy a patch.
Details
A vulnerability was found in Linux Kernel up to 3.8 (Operating System). It has been classified as critical. This affects the function _sock_diag_rcv_msg of the file net/core/sock_diag.c. The manipulation with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.
The bug was discovered 07/14/2012. The weakness was disclosed 02/24/2013 by Mathias Krause as confirmed mailinglist post (oss-sec). It is possible to read the advisory at seclists.org. This vulnerability is uniquely identified as CVE-2013-1763 since 02/19/2013. Attacking locally is a requirement. No form of authentication is needed for exploitation. Technical details and a public exploit are known.
A public exploit has been developed by sd and been published 2 days after the advisory. The exploit is shared for download at sysc.tl. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 225 days. During that time the estimated underground price was around $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 64910 (Ubuntu 12.10 : linux vulnerabilities (USN-1750-1)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Ubuntu Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 165867 (SUSE Security Update for Kernel (openSUSE-SU-2013:0395-1)).
Applying a patch is able to eliminate this problem. The bugfix is ready for download at thread.gmane.org.
The vulnerability is also documented in the databases at Exploit-DB (24555), Tenable (64910), SecurityFocus (BID 58137†), OSVDB (90604†) and Secunia (SA52289†). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
Video
Youtube: Not available anymoreCVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 9.3VulDB Meta Temp Score: 8.4
VulDB Base Score: 9.3
VulDB Temp Score: 8.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Input validationCWE: CWE-20
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: sd
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 64910
Nessus Name: Ubuntu 12.10 : linux vulnerabilities (USN-1750-1)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 865961
OpenVAS Name: Fedora Update for kernel FEDORA-2013-10695
OpenVAS File: 🔍
OpenVAS Family: 🔍
Saint ID: exploit_info/linux_kernel_sock_diag
Saint Name: Linux kernel __sock_diag_rcv_msg Netlink message privilege elevation
Qualys ID: 🔍
Qualys Name: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Patch: thread.gmane.org
McAfee IPS: 🔍
McAfee IPS Version: 🔍
Timeline
07/14/2012 🔍02/19/2013 🔍
02/24/2013 🔍
02/24/2013 🔍
02/24/2013 🔍
02/26/2013 🔍
02/26/2013 🔍
02/26/2013 🔍
02/27/2013 🔍
02/27/2013 🔍
02/27/2013 🔍
02/28/2013 🔍
11/30/2024 🔍
Sources
Vendor: kernel.orgAdvisory: seclists.org
Researcher: Mathias Krause
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2013-1763 (🔍)
GCVE (CVE): GCVE-0-2013-1763
GCVE (VulDB): GCVE-100-7827
OVAL: 🔍
SecurityFocus: 58137 - Linux Kernel CVE-2013-1763 Local Privilege Escalation Vulnerability
Secunia: 52289 - Linux Kernel "__sock_diag_rcv_msg()" and "shmem_remount_fs()" Vulnerab, Less Critical
OSVDB: 90604
Vulnerability Center: 38536 - Linux Kernel Local Arbitrary Code Execution due to Improper Bounds-Checking of User Supplied Input, High
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 02/27/2013 10:15Updated: 11/30/2024 13:48
Changes: 02/27/2013 10:15 (92), 04/25/2017 11:07 (7), 05/05/2021 14:51 (3), 11/30/2024 13:48 (14)
Complete: 🔍
Committer: olku
Cache ID: 216:A78:103
No comments yet. Languages: en.
Please log in to comment.