CVE-2008-3792

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 2.6.26.4

Description The issue is related to the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel. It does not verify that the SCTP-AUTH extension is enabled before proceeding with SCTP-AUTH API functions, which allows attackers to cause a denial of service (NULL pointer dereference and panic) via vectors that result in calls to various functions, including sctp setsockopt auth chunk, sctp setsockopt hmac ident, sctp setsockopt auth key, sctp setsockopt active key, sctp setsockopt del key, sctp getsockopt maxburst, sctp getsockopt active key, sctp getsockopt peer auth chunks, or sctp getsockopt local auth chunks. Multiple vulnerabilities in various Linux packages may lead to disruption of confidentiality, integrity, and availability of protected information, and can be exploited remotely.

Recommendations For Linux kernel versions prior to 2.6.26.4, update to version 2.6.26.4 or later to resolve the issue. As a temporary workaround, consider disabling the SCTP-AUTH extension until a patch is available. Restrict access to the vulnerable API functions to minimize the risk of exploitation. Avoid using the affected functions in the API endpoint until the issue is resolved. At the moment, there is no information about other specific fixes for this vulnerability.