Three new vulnerabilities have been found in the Linux Kernel CVE-2014-3673, CVE-2014-3687, and CVE-2014-3688. These vulnerabilities allows a remote user to cause a denial of service (Kernel panic).
Denial of service in the Linux Kernel
Danger level: Middle
The presence of fixes: Yes
The number of vulnerabilities: 3
CVSSv2 rating: (AV: A / AC: L / Au: N / C: N / I: N / A: C / E: U / RL: OF / RC: C) = Base: 6.1 / Temporal: 4.5
(AV: A / AC: L / Au: N / C: N / I: N / A: C / E: U / RL: OF / RC: C) = Base: 6.1 / Temporal: 4.5
(AV: A / AC: L / Au: N / C: N / I: N / A: C / E: U / RL: OF / RC: C) = Base: 6.1 / Temporal: 4.5
CVE ID: CVE-2014-3673; CVE-2014-3687; CVE-2014-3688
Vector of exploitation: Remote
Impact: Denial of service
Affected products: Linux Kernel 3.10.x, Linux Kernel 3.12.x, Linux Kernel 3.14.x, Linux Kernel 3.17.x
Affected versions: Linux Kernel versions prior to 3.17.4, Linux Kernel versions prior to 3.14.25, Linux Kernel versions prior to 3.10.61, Linux Kernel versions prior to 3.12.34
Description:
1. [CVE-2014-3673] The vulnerability is caused due to an error when processing ASCONF, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c.. A remote user can cause denial of service.
2. [CVE-2014-3687] The vulnerability is caused due to an error in the function “sctp_assoc_lookup_asconf_ack ()” in the file net / sctp / associola.c which allows remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks.
3. [CVE-2014-3688] The vulnerability is caused due to an error related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c. This allows remote attackers to cause a denial of service
Solution: Install the latest version from the manufacturer.
Manufacturer’s URL: http://www.kernel.org/
References:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.17.4
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.25
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.61
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.34
