CVE-2014-0101

Name of the Vulnerable Software and Affected Versions SUSE Linux Enterprise kernel-pae-devel versions (affected versions not specified) SUSE Linux Enterprise kernel-xen-devel versions (affected versions not specified) SUSE Linux Enterprise gfs2-kmp-xen versions (affected versions not specified) SUSE Linux Enterprise kernel-ec2-devel versions (affected versions not specified) Linux kernel versions prior to 3.13.6

Description The issue concerns multiple vulnerabilities in various packages of the SUSE Linux Enterprise operating system, including kernel-pae-devel, kernel-xen-devel, gfs2-kmp-xen, and kernel-ec2-devel. These vulnerabilities can be exploited remotely, potentially leading to breaches of confidentiality, integrity, and availability of protected information. Specifically, the sctp sf do 5 1D ce function in net/sctp/sm statefuns.c of the Linux kernel does not properly validate auth enable and auth capable fields before making an sctp sf authenticate call. This allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE ECHO chunk. Remote users can also cause a denial of service (NULL pointer dereference) when using the SCTP network protocol.

Recommendations For SUSE Linux Enterprise kernel-pae-devel, consider disabling the vulnerable components until a patch is available. For SUSE Linux Enterprise kernel-xen-devel, restrict access to the vulnerable modules to minimize the risk of exploitation. For SUSE Linux Enterprise gfs2-kmp-xen, avoid using the affected package until the issue is resolved. For SUSE Linux Enterprise kernel-ec2-devel, consider applying configuration changes to mitigate the risk of remote exploitation. For Linux kernel versions prior to 3.13.6, update to a version 3.13.6 or later to resolve the issue. At the moment, there is no information about additional mitigation measures for these vulnerabilities.