Lucene search

K
ubuntucveUbuntu.comUB:CVE-2012-6704
HistoryDec 28, 2016 - 12:00 a.m.

CVE-2012-6704

2016-12-2800:00:00
ubuntu.com
ubuntu.com
9

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0

Percentile

5.1%

The sock_setsockopt function in net/core/sock.c in the Linux kernel before
3.5 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows
local users to cause a denial of service (memory corruption and system
crash) or possibly have unspecified other impact by leveraging the
CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1)
SO_SNDBUF or (2) SO_RCVBUF option.

Notes

Author Note
sbeattie it’s not possible to exploit this via unprivileged SO_SNDBUF/SO_RCVBUF setsockopt() calls, as passing a signed value that is negative but when multiplied by 2 turns positive first gets compared against the unsigned int sysctl_wmem_max value to see if its larger than that. Because sysctl_wmem_max is unsigned, the compiler treats the value passed as unsigned, and thus a β€œnegative” value turns into a large positive value, and runs afoul of this check.

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0

Percentile

5.1%