PT-2021-1518 · Linux+5 · Linux Kernel+5
Ilja Van Sprundel
+1
·
Published
2021-06-28
·
Updated
2023-08-14
·
CVE-2021-3655
CVSS v3.1
3.3
Low
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to v5.14-rc1
Description
The issue is related to insufficient input validation when handling SCTP packets, which may allow a remote attacker to gain unauthorized access to protected information. This could lead to remote information disclosure to an on-path attacker with no additional execution privileges needed. The vulnerability is due to a missing bounds check in functions such as
sctp v6 to sk daddr and sctp v4 from addr param, potentially causing an out of bounds read. User interaction is not required for exploitation.Recommendations
For Linux kernel versions prior to v5.14-rc1, update to version v5.14-rc1 or later to resolve the issue.
As a temporary workaround, consider restricting access to SCTP packets to minimize the risk of exploitation.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Linuxmint
Linux Kernel
Suse
Ubuntu