CVE-2019-3701

Advisory lineage Upstream: 0 Downstream: 24
Modified
Published: 03 Jan 2019, 16:00
Last modified:04 Aug 2024, 19:19

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
4.9 MEDIUM
v2.0 (nvd)
EPSS Score
0.05% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

03 Jan 2019, 16:00
Published
Vulnerability first disclosed
04 Aug 2024, 19:19
Last Modified
Vulnerability information updated

Description

An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. The privileged user "root" with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data length code a higher value than the available CAN frame data size. In combination with a configured checksum calculation where the result is stored relatively to the end of the data (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames.

CVSS Metrics

  • v3.0MEDIUMScore: 4.4CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
  • v2.0MEDIUMScore: 4.9AV:L/AC:L/Au:N/C:N/I:N/A:C

EPSS Trends

Current EPSS score: 0.05% Percentile: 15%

Techniques & Countermeasures

  • CWE-787Out-of-bounds Write

    The product writes data past the end, or before the beginning, of the intended buffer.

Affected Systems

  • canonicalubuntu_linux

    14.04 | 16.04

  • debiandebian_linux

    8.0

  • linuxlinux_kernel

    ≤ 4.19.13

References (14)