CVE-2009-0065
published 2009-01-07CVE-2009-0065: Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows…
PriorityP264critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
16.73%
96.6th percentile
Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.
Affected
89 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | <= 2.6.27 | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered by a FORWARD-TSN (FWD-TSN, chunk type 192) chunk with a large/invalid stream ID (e.g., stream ID 10000 exceeding the max inbound streams). Monitor for SCTP FWD-TSN chunks with stream IDs >= the association's max inbound streams (MIS). ↗
- →Exploitation requires an established SCTP association between endpoints. Detect unexpected SCTP associations (IP protocol 132) on hosts that are not expected to use SCTP. ↗
- →A non-privileged user can start an SCTP service and then exploit it remotely to gain root access. Monitor for unexpected SCTP listeners started by non-root users. ↗
- →Use 'grep SCTP /proc/net/protocols' to detect if the SCTP kernel module is loaded on a host, indicating potential attack surface. ↗
- →The public exploit (EDB-8556) targets Linux kernel 2.6.20/2.6.24/2.6.27 on Ubuntu 7.04/8.04/8.10, Fedora Core 10, and OpenSuse 11.1 x86_64. Prioritize patching these specific kernel/distro combinations. ↗
- →The exploit sends crafted raw SCTP FWD-TSN packets with a large number of stream entries to overflow kernel memory. Look for raw socket usage (SOCK_RAW with IPPROTO_SCTP) combined with SCTP FWD-TSN chunk transmission. ↗
- ·Exploitation is only possible if there is an established SCTP association between endpoints. Systems not running any SCTP-bound application are not directly exploitable remotely. ↗
- ·The PR-SCTP extension can be disabled as a workaround by setting net.sctp.prsctp_enable=0, which prevents exploitation without requiring a reboot. ↗
- ·The sctp kernel module can be blacklisted to prevent it from loading on systems that do not use SCTP, eliminating the attack surface entirely. ↗
- ·Many systems include SCTP support in the kernel by default even if not actively used, broadening the potential attack surface beyond what administrators may expect. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w8p6-7232-w86w: Buffer overflow in net/sctp/sm_statefuns
ghsa_unreviewed·2022-05-02
CVE-2009-0065 [HIGH] CWE-119 GHSA-w8p6-7232-w86w: Buffer overflow in net/sctp/sm_statefuns
Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2009-04-07·CVSS 4.0
CVE-2009-0029 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
NFS did not correctly handle races between fcntl and interrupts. A local
attacker on an NFS mount could consume unlimited kernel memory, leading to
a denial of service. (CVE-2008-4307)
Sparc syscalls did not correctly check mmap regions. A local attacker could
cause a system panic, leading to a denial of service. (CVE-2008-6107)
In certain situations, cloned processes were able to send signals to parent
processes, crossing privilege boundaries. A local attacker could send
arbitrary signals to parent processes, leading to a denial of service.
(CVE-2009-0028)
The 64-bit syscall interfaces did not correctly handle sign extension. A
local attacker could make malicious syscalls, possibly gaining root
privileges. The
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2009-04-06·CVSS 4.0
CVE-2008-4307 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
NFS did not correctly handle races between fcntl and interrupts. A local
attacker on an NFS mount could consume unlimited kernel memory, leading to
a denial of service. Ubuntu 8.10 was not affected. (CVE-2008-4307)
Sparc syscalls did not correctly check mmap regions. A local attacker
could cause a system panic, leading to a denial of service. Ubuntu 8.10
was not affected. (CVE-2008-6107)
In certain situations, cloned processes were able to send signals to parent
processes, crossing privilege boundaries. A local attacker could send
arbitrary signals to parent processes, leading to a denial of service.
(CVE-2009-0028)
The kernel keyring did not free memory correctly. A local attacker could
consume unlimited kernel
Red Hat
kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID
vendor_redhat·2008-12-26·CVSS 10.0
CVE-2009-0065 [CRITICAL] CWE-228 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID
kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID
Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.
No detection rules found.
Bugzilla
CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID [F9]
bugzilla·2009-01-20·CVSS 10.0
CVE-2009-0065 [CRITICAL] CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID [F9]
CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID [F9]
F9 tracking bug: see blocks bug list for full details of the security issue(s).
Discussion:
kernel-2.6.27.12-78.2.8.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/kernel-2.6.27.12-78.2.8.fc9
---
kernel-2.6.27.12-78.2.8.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing-newkey update kernel'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2009-0816
---
kernel-2.6.27.12-78.2.8.fc9 has been pushed to the Fedora 9 stable repository.
Bugzilla
CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID [F10]
bugzilla·2009-01-20·CVSS 10.0
CVE-2009-0065 [CRITICAL] CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID [F10]
CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID [F10]
+++ This bug was initially created as a clone of Bug #480861 +++
F10 tracking bug: see blocks bug list for full details of the security issue(s).
Discussion:
kernel-2.6.27.12-170.2.5.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.12-170.2.5.fc10
---
kernel-2.6.27.12-170.2.5.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update kernel'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-0923
---
kernel-2
Bugzilla
CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID
bugzilla·2009-01-05·CVSS 10.0
CVE-2009-0065 [CRITICAL] CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID
CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID
From: Wei Yongjun
If FWD-TSN chunk is received with bad stream ID, the sctp will not do the validity check, this may cause memory overflow when overwrite the TSN of the stream ID.
The FORWARD-TSN chunk is like this:
FORWARD-TSN chunk
Type = 192
Flags = 0
Length = 172
NewTSN = 99
Stream = 10000
StreamSequence = 0xFFFF
This patch fix this problem by discard the chunk if stream ID is not less than MIS.
Reference:
http://patchwork.ozlabs.org/patch/15024/
Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9fcb95a105758b81ef0131cd18e2db5149f13e95
Discussion:
Created attachment 328170
Upstream patch
---
I did a brief analysis. This bug can be triggered
Tenable
Scanning & Monitoring For SCTP
blogs_tenable·2009-05-08
Scanning & Monitoring For SCTP
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Scanning & Monitoring For SCTP
blogs_tenable·2009-05-08·CVSS 10.0
[CRITICAL] Scanning & Monitoring For SCTP
Blog /
Subscribe
# Scanning & Monitoring For SCTP
Paul Asadoorian
May 8, 2009
6 Min Read
### When Denial of Service Become Remote Code Execution
When vulnerabilities are discovered, they are classified by various organizations using different methods. For example, CVSS scoring uses an algorithm to determine a severity rating from 1 to 10. This rating has been adopted by the NVD (National Vulnerabilities Database) and is used by Tenable to provide scores within the Nessus plugins. Sometimes a vulnerability is announced and its original rating is set as moderate or low. This is frequently the case with Denial Of Service (DoS) vulnerabilities as they allow an attacker to disrupt services but not gain remote access to the system. However, sometimes an advisory describes a vulnerability t
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=9fcb95a105758b81ef0131cd18e2db5149f13e95http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01832118http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00001.htmlhttp://patchwork.ozlabs.org/patch/15024/http://rhn.redhat.com/errata/RHSA-2009-0264.htmlhttp://secunia.com/advisories/33674http://secunia.com/advisories/33854http://secunia.com/advisories/33858http://secunia.com/advisories/34252http://secunia.com/advisories/34394http://secunia.com/advisories/34680http://secunia.com/advisories/34762http://secunia.com/advisories/34981http://secunia.com/advisories/35011http://secunia.com/advisories/35174http://secunia.com/advisories/35390http://secunia.com/advisories/35394http://secunia.com/advisories/36191http://support.avaya.com/elmodocs2/security/ASA-2009-114.htmhttp://www.debian.org/security/2009/dsa-1749http://www.debian.org/security/2009/dsa-1787http://www.debian.org/security/2009/dsa-1794http://www.openwall.com/lists/oss-security/2009/01/05/1http://www.redhat.com/support/errata/RHSA-2009-0053.htmlhttp://www.redhat.com/support/errata/RHSA-2009-0331.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1055.htmlhttp://www.securityfocus.com/bid/33113http://www.securitytracker.com/id?1022698http://www.ubuntu.com/usn/usn-751-1http://www.vupen.com/english/advisories/2009/0029http://www.vupen.com/english/advisories/2009/2193https://bugzilla.redhat.com/show_bug.cgi?id=478800https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10872https://www.redhat.com/archives/fedora-package-announce/2009-January/msg01045.htmlhttp://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=9fcb95a105758b81ef0131cd18e2db5149f13e95http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01832118http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00001.htmlhttp://patchwork.ozlabs.org/patch/15024/http://rhn.redhat.com/errata/RHSA-2009-0264.htmlhttp://secunia.com/advisories/33674http://secunia.com/advisories/33854http://secunia.com/advisories/33858http://secunia.com/advisories/34252http://secunia.com/advisories/34394http://secunia.com/advisories/34680http://secunia.com/advisories/34762http://secunia.com/advisories/34981http://secunia.com/advisories/35011http://secunia.com/advisories/35174http://secunia.com/advisories/35390http://secunia.com/advisories/35394http://secunia.com/advisories/36191http://support.avaya.com/elmodocs2/security/ASA-2009-114.htmhttp://www.debian.org/security/2009/dsa-1749http://www.debian.org/security/2009/dsa-1787http://www.debian.org/security/2009/dsa-1794http://www.openwall.com/lists/oss-security/2009/01/05/1http://www.redhat.com/support/errata/RHSA-2009-0053.htmlhttp://www.redhat.com/support/errata/RHSA-2009-0331.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1055.htmlhttp://www.securityfocus.com/bid/33113http://www.securitytracker.com/id?1022698http://www.ubuntu.com/usn/usn-751-1http://www.vupen.com/english/advisories/2009/0029http://www.vupen.com/english/advisories/2009/2193https://bugzilla.redhat.com/show_bug.cgi?id=478800https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10872https://www.redhat.com/archives/fedora-package-announce/2009-January/msg01045.html
2009-01-07
Published