Lucene search

K
ubuntucveUbuntu.comUB:CVE-2012-6704
HistoryDec 28, 2016 - 12:00 a.m.

CVE-2012-6704

2016-12-2800:00:00
ubuntu.com
ubuntu.com
4

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

5.3%

The sock_setsockopt function in net/core/sock.c in the Linux kernel before
3.5 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows
local users to cause a denial of service (memory corruption and system
crash) or possibly have unspecified other impact by leveraging the
CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1)
SO_SNDBUF or (2) SO_RCVBUF option.

Notes

Author Note
sbeattie it’s not possible to exploit this via unprivileged SO_SNDBUF/SO_RCVBUF setsockopt() calls, as passing a signed value that is negative but when multiplied by 2 turns positive first gets compared against the unsigned int sysctl_wmem_max value to see if its larger than that. Because sysctl_wmem_max is unsigned, the compiler treats the value passed as unsigned, and thus a “negative” value turns into a large positive value, and runs afoul of this check.

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

5.3%