CVE-2010-1173
published 2010-05-07CVE-2010-1173: The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to…
PriorityP267high7.1CVSS 2.0
AVNACMAuNCNINAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
21.31%
97.3th percentile
The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data.
Affected
338 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | <= 2.6.33.3 | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x20\x10\x11\x73\x00\x00\xf4\x00\x00\x05\x00\x05\x20\x10\x11\x73 + (\xc0\xff\x00\x08\xff\xff\xff\xff) * 20
- →Detect malformed SCTP INIT (SCTPChunkInit) packets containing multiple invalid variable-length parameters sent to a listening SCTP port; the exploit sends 20 repeated 8-byte invalid parameter blocks (\xc0\xff\x00\x08\xff\xff\xff\xff) within a single INIT chunk. ↗
- →Alert on SCTP INIT chunks where the cumulative length of variable-length parameters approaches or exceeds the path MTU, which triggers skb_over_panic in sctp_process_unk_param on kernels <= 2.6.33.3. ↗
- →Flag SCTP INIT packets sourced from port 0x1173 (4467) as a strong indicator of the sctp-boom.py exploit tool in use. ↗
- ·Vulnerability only exists when SCTP is enabled in the kernel; Linux kernel shipped with RHEL 3 was not affected because it did not include SCTP support. ↗
- ·Affected kernel versions are 2.6.33.3 and earlier; fixed in upstream releases 2.6.34, 2.6.33.6, and 2.6.32.16. ↗
- ·Exploit requires raw socket access (root privileges) on the attacking machine; the PoC uses libdnet and dpkt Python libraries. ↗
CVSS provenance
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:N/I:N/A:C
vulncheck7.1HIGH
vendor_redhat7.1HIGH
vendor_ubuntu1.2LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c3vg-xm2h-hqc2: The sctp_process_unk_param function in net/sctp/sm_make_chunk
ghsa_unreviewed·2022-05-02
CVE-2010-1173 [HIGH] CWE-20 GHSA-c3vg-xm2h-hqc2: The sctp_process_unk_param function in net/sctp/sm_make_chunk
The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data.
VulnCheck
Linux Kernel Improper Input Validation
vulncheck·2010·CVSS 7.1
CVE-2010-1173 [HIGH] Linux Kernel Improper Input Validation
Linux Kernel Improper Input Validation
The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data.
Affected: Linux Kernel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://flare.io/learn/resources/blog/old-school-irc-new-victims-inside-the-newly-discovered-sshstalker-linux-botnet
VMware
Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
vendor_vmware·2011-02-10·CVSS 5.0
CVE-2008-0085 [MEDIUM] Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
VMSA-2011-0003: Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX VMware Security Advisory VMware Security Advisory Advisory ID: VMware Security Advisory Synopsis: Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX VMware Security Advisory Issue date: VMware Security Advisory Updated on: VMware Security Advisory CVE numbers:
CVEs: CVE-2008-0085, CVE-2008-0086, CVE-2008-0106, CVE-2008-0107, CVE-2008-3825, CVE-2008-5416, CVE-2009-1384, CVE-2009-2693, CVE-2009-2901, CVE-2009-2902, CVE-2009-3548, CVE-2009-3555, CVE-2009-4308, CVE-2010-0003, CVE-2010-0007, CVE-2010-0008, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085,
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2010-08-04·CVSS 1.2
CVE-2008-7256 [LOW] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Multiple security flaws.
Junjiro R. Okajima discovered that knfsd did not correctly handle
strict overcommit. A local attacker could exploit this to crash knfsd,
leading to a denial of service. (Only Ubuntu 6.06 LTS and 8.04 LTS were
affected.) (CVE-2008-7256, CVE-2010-1643)
Chris Guo, Jukka Taimisto, and Olli Jarva discovered that SCTP did
not correctly handle invalid parameters. A remote attacker could send
specially crafted traffic that could crash the system, leading to a
denial of service. (CVE-2010-1173)
Mario Mikocevic discovered that GFS2 did not correctly handle certain
quota structures. A local attacker could exploit this to crash the
system, leading to a denial of service. (Ubuntu 6.06 LTS was not
affected.) (CVE-2010-1436)
Toshi
Red Hat
kernel: sctp: crash due to malformed SCTPChunkInit packet
vendor_redhat·2010-04-29·CVSS 7.1
CVE-2010-1173 [HIGH] CWE-228 kernel: sctp: crash due to malformed SCTPChunkInit packet
kernel: sctp: crash due to malformed SCTPChunkInit packet
The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data.
Statement: Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-1173.
This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for SCTP. Future kernel updates in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG may address this flaw.
For more information, please see http://kbase.redhat.com/faq/docs
No detection rules found.
Bugzilla
kernel: another sctp-related issue (fixed by CVE-2010-1173)
bugzilla·2010-05-18·CVSS 7.1
CVE-2010-1173 [HIGH] kernel: another sctp-related issue (fixed by CVE-2010-1173)
kernel: another sctp-related issue (fixed by CVE-2010-1173)
Description of problem:
Reported by Nokia Siemens Networks (NSN).
Turns out to be CVE-2010-1173.
Bugzilla
CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet
bugzilla·2010-04-22·CVSS 7.1
CVE-2010-1173 [HIGH] CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet
CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet
Description of problem:
Reported by Nokia-CN-Flexi via Issue Tracker. A similar issue was reported by Jukka Taimisto and Olli Jarva from the CROSS open source testing project at Codenomicon Ltd. This was also reported by Windriver on behalf of their customer via vendor-sec.
Kernel crash occurs if sctp listening port receives malformatted init packet.
Its an skb_over_panic BUG halt that results from processing an init chunk in which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(nto
Bugzilla
ejabberd: Remote DoS via flood of client2server messages
bugzilla·2010-01-29
[LOW] ejabberd: Remote DoS via flood of client2server messages
ejabberd: Remote DoS via flood of client2server messages
Remotely exploitable DoS from XMPP client to ejabberd server
via flood of "client2server" messages (causing the message queue on
the server to get overloaded, leading to server crash) has been found.
Track of the incident:
https://support.process-one.net/browse/EJAB-1173
Upstream patches against v2.1:
https://forge.process-one.net/rdiff/ejabberd/branches/ejabberd-2.1.x/src/configure?r1=2688&r2=2936&u&N
https://forge.process-one.net/rdiff/ejabberd/branches/ejabberd-2.1.x/src/ejabberd_c2s.erl?r1=2911&r2=2936&u&N
CVE Request:
http://www.openwall.com/lists/oss-security/2010/01/29/1
Discussion:
*** This bug has been marked as a duplicate of bug 559921 ***
Bugzilla
ejabberd: Remote DoS via flood of client2server messages
bugzilla·2010-01-29
[LOW] ejabberd: Remote DoS via flood of client2server messages
ejabberd: Remote DoS via flood of client2server messages
Remotely exploitable DoS from XMPP client to ejabberd server
via flood of "client2server" messages (causing the message queue on
the server to get overloaded, leading to server crash) has been found.
Track of the incident:
https://support.process-one.net/browse/EJAB-1173
Upstream patches against v2.1:
https://forge.process-one.net/rdiff/ejabberd/branches/ejabberd-2.1.x/src/configure?r1=2688&r2=2936&u&N
https://forge.process-one.net/rdiff/ejabberd/branches/ejabberd-2.1.x/src/ejabberd_c2s.erl?r1=2911&r2=2936&u&N
CVE Request:
http://www.openwall.com/lists/oss-security/2010/01/29/1
Discussion:
*** Bug 559900 has been marked as a duplicate of this bug. ***
---
*** Bug 559893 has been marked as a duplicate of this bug. ***
---
**
Bugzilla
ejabberd: Remote DoS via flood of client2server messages
bugzilla·2010-01-29
[LOW] ejabberd: Remote DoS via flood of client2server messages
ejabberd: Remote DoS via flood of client2server messages
Remotely exploitable DoS from XMPP client to ejabberd server
via flood of "client2server" messages (causing the message queue on
the server to get overloaded, leading to server crash) has been found.
Track of the incident:
https://support.process-one.net/browse/EJAB-1173
Upstream patches against v2.1:
https://forge.process-one.net/rdiff/ejabberd/branches/ejabberd-2.1.x/src/configure?r1=2688&r2=2936&u&N
https://forge.process-one.net/rdiff/ejabberd/branches/ejabberd-2.1.x/src/ejabberd_c2s.erl?r1=2911&r2=2936&u&N
CVE Request:
http://www.openwall.com/lists/oss-security/2010/01/29/1
Discussion:
*** This bug has been marked as a duplicate of bug 559890 ***
Bugzilla
CVE-2010-0305 ejabberd: Remote DoS via flood of client2server messages
bugzilla·2010-01-29·CVSS 5.0
CVE-2010-0305 [MEDIUM] CVE-2010-0305 ejabberd: Remote DoS via flood of client2server messages
CVE-2010-0305 ejabberd: Remote DoS via flood of client2server messages
Remotely exploitable DoS from XMPP client to ejabberd server
via flood of "client2server" messages (causing the message queue on
the server to get overloaded, leading to server crash) has been found.
Track of the incident:
https://support.process-one.net/browse/EJAB-1173
Upstream patches against v2.1:
https://forge.process-one.net/rdiff/ejabberd/branches/ejabberd-2.1.x/src/configure?r1=2688&r2=2936&u&N
https://forge.process-one.net/rdiff/ejabberd/branches/ejabberd-2.1.x/src/ejabberd_c2s.erl?r1=2911&r2=2936&u&N
CVE Request:
http://www.openwall.com/lists/oss-security/2010/01/29/1
Discussion:
This issue affects the latest versions of ejabberd package, as shipped
with Fedora 11 (ejabberd-2.1.1-1.fc11) and 12 (ejabberd
http://article.gmane.org/gmane.linux.network/159531http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git%3Ba=commit%3Bh=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809http://kbase.redhat.com/faq/docs/DOC-31052http://marc.info/?l=oss-security&m=127251068407878&w=2http://secunia.com/advisories/39830http://secunia.com/advisories/40218http://secunia.com/advisories/43315http://www.debian.org/security/2010/dsa-2053http://www.mandriva.com/security/advisories?name=MDVSA-2010:198http://www.openwall.com/lists/oss-security/2010/04/29/1http://www.openwall.com/lists/oss-security/2010/04/29/6http://www.redhat.com/support/errata/RHSA-2010-0474.htmlhttp://www.securityfocus.com/archive/1/516397/100/0/threadedhttp://www.vmware.com/security/advisories/VMSA-2011-0003.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=584645https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11416http://article.gmane.org/gmane.linux.network/159531http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git%3Ba=commit%3Bh=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809http://kbase.redhat.com/faq/docs/DOC-31052http://marc.info/?l=oss-security&m=127251068407878&w=2http://secunia.com/advisories/39830http://secunia.com/advisories/40218http://secunia.com/advisories/43315http://www.debian.org/security/2010/dsa-2053http://www.mandriva.com/security/advisories?name=MDVSA-2010:198http://www.openwall.com/lists/oss-security/2010/04/29/1http://www.openwall.com/lists/oss-security/2010/04/29/6http://www.redhat.com/support/errata/RHSA-2010-0474.htmlhttp://www.securityfocus.com/archive/1/516397/100/0/threadedhttp://www.vmware.com/security/advisories/VMSA-2011-0003.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=584645https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11416
2010-05-07
Published
Exploited in the wild