PT-2013-1269 · Linux+4 · Linux Kernel+4

Mathias Krause

Published

2013-12-31

Updated

2020-05-19

CVE-2013-7421

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions linux-image versions 3.13.0 through 3.16.0 linux-image versions prior to 3.18.5

Description The issue affects the Linux kernel and can lead to breaches of confidentiality, integrity, and availability of protected information. It can be exploited locally or remotely. The Crypto API in the Linux kernel allows local users to load arbitrary kernel modules via a bind system call for an AF ALG socket with a module name in the salg name field.

Recommendations For linux-image versions 3.13.0 through 3.16.0, update to a version prior to 3.18.5 to resolve the issue. For linux-image versions prior to 3.18.5, update to version 3.18.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the AF ALG socket to minimize the risk of exploitation.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-17CWE-269

Related Identifiers

ALT-PU-2015-1118

ALT-PU-2015-1794

BDU:2015-09845

BDU:2015-09847

CESA-2015_2152

CVE-2013-7421

DSA-3170-1

MGASA-2015-0070

MGASA-2015-0075

MGASA-2015-0076

MGASA-2015-0077

MGASA-2015-0078

RHSA-2015:2152

RHSA-2015:2411

RHSA-2015_2152

RHSA-2015_2411

RHSA-2016:0068

USN-2513-1

USN-2514-1

USN-2543-1

USN-2544-1

USN-2545-1

USN-2546-1

Affected Products

Alt Linux

Centos

Linux Kernel

Red Hat

Ubuntu

PT-2013-1269 · Linux+4 · Linux Kernel+4

CVE-2013-7421

Weakness Enumeration

Related Identifiers

Affected Products

References · 118