CVE-2013-1828
published 2013-03-22CVE-2013-1828: The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the Linux kernel before 3.8.4 does not validate a size value before proceeding to a…
PriorityP430medium6.9CVSS 2.0
AVLACMAuNCCICAC
EXPLOIT
EPSS
1.01%
58.9th percentile
The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the Linux kernel before 3.8.4 does not validate a size value before proceeding to a copy_from_user operation, which allows local users to gain privileges via a crafted application that contains an SCTP_GET_ASSOC_STATS getsockopt system call.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | — | — |
| linux | linux_kernel | >= 3.8 < 3.8.4 | 3.8.4 |
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vendor_debian6.9LOW
vendor_redhat6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qrrj-44rg-hf92: The sctp_getsockopt_assoc_stats function in net/sctp/socket
ghsa_unreviewed·2022-05-17
CVE-2013-1828 [MEDIUM] CWE-20 GHSA-qrrj-44rg-hf92: The sctp_getsockopt_assoc_stats function in net/sctp/socket
The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the Linux kernel before 3.8.4 does not validate a size value before proceeding to a copy_from_user operation, which allows local users to gain privileges via a crafted application that contains an SCTP_GET_ASSOC_STATS getsockopt system call.
Red Hat
kernel: sctp: SCTP_GET_ASSOC_STATS stack buffer overflow
vendor_redhat·2013-03-08·CVSS 6.9
CVE-2013-1828 [MEDIUM] CWE-121 kernel: sctp: SCTP_GET_ASSOC_STATS stack buffer overflow
kernel: sctp: SCTP_GET_ASSOC_STATS stack buffer overflow
The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the Linux kernel before 3.8.4 does not validate a size value before proceeding to a copy_from_user operation, which allows local users to gain privileges via a crafted application that contains an SCTP_GET_ASSOC_STATS getsockopt system call.
Statement: Not vulnerable.
This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 and 6, and Red Hat Enterprise MRG as those versions are missing upstream commit 196d6759 that introduced this issue.
Package: kernel (Red Hat Enterprise Linux 5) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: realtime-kernel (Red Hat Enterprise MRG 2) - Not affecte
Debian
CVE-2013-1828: linux - The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the Linux kerne...
vendor_debian·2013·CVSS 6.9
CVE-2013-1828 [MEDIUM] CVE-2013-1828: linux - The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the Linux kerne...
The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the Linux kernel before 3.8.4 does not validate a size value before proceeding to a copy_from_user operation, which allows local users to gain privileges via a crafted application that contains an SCTP_GET_ASSOC_STATS getsockopt system call.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Bugzilla
CVE-2013-1828 kernel: sctp: SCTP_GET_ASSOC_STATS stack buffer overflow
bugzilla·2013-03-08·CVSS 6.9
CVE-2013-1828 [MEDIUM] CVE-2013-1828 kernel: sctp: SCTP_GET_ASSOC_STATS stack buffer overflow
CVE-2013-1828 kernel: sctp: SCTP_GET_ASSOC_STATS stack buffer overflow
A local user could use the missing size check in sctp_getsockopt_assoc_stats() function to escalate their privileges. On x86 this might be mitigated by destination object size check as the destination size is known at compile time.
Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=726bc6b0
Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=196d6759
Introduced in:
v3.8-rc1
References:
https://twitter.com/grsecurity/status/309805924749541376
http://grsecurity.net/~spender/sctp.c
Discussion:
Created kernel tracking bugs for this issue
Affects: fedora-all [bug 919316]
---
Statement:
Not vulnerable.
This issue did not affect the versions
Bugzilla
CVE-2013-1828 kernel: sctp: SCTP_GET_ASSOC_STATS stack buffer overflow [fedora-all]
bugzilla·2013-03-08·CVSS 6.9
CVE-2013-1828 [MEDIUM] CVE-2013-1828 kernel: sctp: SCTP_GET_ASSOC_STATS stack buffer overflow [fedora-all]
CVE-2013-1828 kernel: sctp: SCTP_GET_ASSOC_STATS stack buffer overflow [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this iss
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=726bc6b092da4c093eb74d13c07184b18c1af0f1http://grsecurity.net/~spender/sctp.chttp://twitter.com/grsecurity/statuses/309805924749541376http://www.exploit-db.com/exploits/24747http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.4http://www.openwall.com/lists/oss-security/2013/03/08/2https://bugzilla.redhat.com/show_bug.cgi?id=919315https://github.com/torvalds/linux/commit/726bc6b092da4c093eb74d13c07184b18c1af0f1http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=726bc6b092da4c093eb74d13c07184b18c1af0f1http://grsecurity.net/~spender/sctp.chttp://twitter.com/grsecurity/statuses/309805924749541376http://www.exploit-db.com/exploits/24747http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.4http://www.openwall.com/lists/oss-security/2013/03/08/2https://bugzilla.redhat.com/show_bug.cgi?id=919315https://github.com/torvalds/linux/commit/726bc6b092da4c093eb74d13c07184b18c1af0f1
2013-03-22
Published