CVE-2014-5077
Advisory lineage Upstream: 0 Downstream: 14
Modified
Published: 01 Aug 2014, 10:00
Last modified:06 Aug 2024, 11:34
Vulnerability Summary
Overall Risk (default)
medium
31/100 CVSS Score
7.1 HIGH
v2.0 (nvd)
EPSS Score
12.78% MEDIUM
13% probability -1.92%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
01 Aug 2014, 10:00
Published
Vulnerability first disclosed
06 Aug 2024, 11:34
Last Modified
Vulnerability information updated
Description
The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction.
CVSS Metrics
- v2.0•HIGH•Score: 7.1AV:N/AC:M/Au:N/C:N/I:N/A:C
EPSS Trends
Current EPSS score: 12.78%• Percentile: 94%
Techniques & Countermeasures
- CWE-476•NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Systems
- canonical•ubuntu_linux
12.04 | 14.04
- linux•linux_kernel
≥ 2.6.24, < 3.2.63 | ≥ 3.3, < 3.4.103 | ≥ 3.5, < 3.10.53 | ≥ 3.11, < 3.12.27 | ≥ 3.13, < 3.14.17 | ≥ 3.15, < 3.15.10
- redhat•enterprise_linux_eus
6.5
- redhat•enterprise_linux_server_aus
6.2 | 6.5
- redhat•enterprise_linux_server_tus
6.5
- suse•linux_enterprise_desktop
11:sp3
- suse•linux_enterprise_real_time_extension
11:sp3
- suse•linux_enterprise_server
11:sp3
References (22)
- http://secunia.com/advisories/60545
- http://secunia.com/advisories/62563
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00006.html
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=1be9a950c646c9092fb3618197f7b6bfb50e82aa
- http://www.ubuntu.com/usn/USN-2335-1
- http://www.ubuntu.com/usn/USN-2334-1
- http://secunia.com/advisories/60430
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00007.html
- http://secunia.com/advisories/60564
- http://rhn.redhat.com/errata/RHSA-2014-1083.html
- http://www.openwall.com/lists/oss-security/2014/07/26/1
- http://www.ubuntu.com/usn/USN-2359-1
- http://rhn.redhat.com/errata/RHSA-2014-1763.html
- http://secunia.com/advisories/59777
- http://rhn.redhat.com/errata/RHSA-2014-1668.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95134
- http://www.securitytracker.com/id/1030681
- http://www.ubuntu.com/usn/USN-2358-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1122982
- https://github.com/torvalds/linux/commit/1be9a950c646c9092fb3618197f7b6bfb50e82aa
- http://secunia.com/advisories/60744
- http://www.securityfocus.com/bid/68881