National Vulnerability Database (NVD) National Vulnerability Database (CVE-2008-1673)

National Cyber-Alert System

Vulnerability Summary for CVE-2008-1673

Original release date:06/10/2008

Last revised:02/12/2009

Source: US-CERT/NIST

Overview

The asn1 implementation in (a) the Linux kernel 2.4 before 2.4.36.6 and 2.6 before 2.6.25.5, as used in the cifs and ip_nat_snmp_basic modules; and (b) the gxsnmp package; does not properly validate length values during decoding of ASN.1 BER data, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) a length greater than the working buffer, which can lead to an unspecified overflow; (2) an oid length of zero, which can lead to an off-by-one error; or (3) an indefinite length for a primitive encoding.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)

Impact Subscore: 10.0

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Vendor Statments (disclaimer)

Official Statement from Red Hat (04/15/2009): Not vulnerable. This issue did not have a security consequence for the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5, and as such, was treated as a bug fix. This issue could result in arbitrary code execution if the SLOB or SLUB memory allocators were used (introduced in Linux kernel versions 2.6.16 and 2.6.22 respectively). Red Hat Enterprise Linux and Red Hat Enterprise MRG use the SLAB memory allocator, which, in this case, cannot be exploited to allow arbitrary code execution. Red Hat Enterprise Linux 2.1 and Red Hat Enterprise MRG were not affected.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: BID

Name: 29589

Type: Patch Information

Hyperlink:http://www.securityfocus.com/bid/29589

External Source: FEDORA

Name: FEDORA-2008-5308

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00587.html

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=443962

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=443962

External Source: XF

Name: kernel-ber-decoder-bo(42921)

Hyperlink:http://xforce.iss.net/xforce/xfdb/42921

External Source: UBUNTU

Name: USN-625-1

Hyperlink:http://www.ubuntu.com/usn/usn-625-1

External Source: BUGTRAQ

Name: 20080611 rPSA-2008-0189-1 kernel xen

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/493300/100/0/threaded

External Source: MANDRIVA

Name: MDVSA-2008:174

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:174

External Source: MANDRIVA

Name: MDVSA-2008:113

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:113

External Source: VUPEN

Name: ADV-2008-1770

Type: Advisory

Hyperlink:http://www.frsirt.com/english/advisories/2008/1770

External Source: CONFIRM

Name: http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0189

Hyperlink:http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0189

External Source: SECUNIA

Name: 32759

Hyperlink:http://secunia.com/advisories/32759

External Source: SECUNIA

Name: 32104

Hyperlink:http://secunia.com/advisories/32104

External Source: SECUNIA

Name: 32103

Hyperlink:http://secunia.com/advisories/32103

External Source: SECUNIA

Name: 31836

Hyperlink:http://secunia.com/advisories/31836

External Source: SECUNIA

Name: 31107

Hyperlink:http://secunia.com/advisories/31107

External Source: SECUNIA

Name: 30658

Hyperlink:http://secunia.com/advisories/30658

External Source: SECUNIA

Name: 30644

Hyperlink:http://secunia.com/advisories/30644

External Source: SECUNIA

Name: 30580

Type: Advisory

Hyperlink:http://secunia.com/advisories/30580

External Source: SUSE

Name: SUSE-SR:2008:025

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.html

External Source: SUSE

Name: SUSE-SA:2008:049

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00003.html

External Source: SUSE

Name: SUSE-SA:2008:048

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00001.html

External Source: SUSE

Name: SUSE-SA:2008:047

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00000.html

External Source: SUSE

Name: SUSE-SA:2008:038

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00012.html

External Source: SUSE

Name: SUSE-SA:2008:035

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00007.html

External Source: CONFIRM

Name: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.5

Hyperlink:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.5

External Source: CONFIRM

Name: http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.6

Hyperlink:http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.6

External Source: CONFIRM

Name: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ddb2c43594f22843e9f3153da151deaba1a834c5

Hyperlink:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ddb2c43594f22843e9f3153da151deaba1a834c5

External Source: CONFIRM

Name: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=33afb8403f361919aa5c8fe1d0a4f5ddbfbbea3c

Hyperlink:http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=33afb8403f361919aa5c8fe1d0a4f5ddbfbbea3c

External Source: SECTRACK

Name: 1020210

Hyperlink:http://www.securitytracker.com/id?1020210

External Source: SECUNIA

Name: 30000

Hyperlink:http://secunia.com/advisories/30000

Vulnerable software and versions

Configuration 1

* cpe:/o:debian:debian_linux:4.0

* cpe:/o:debian:debian_linux:4.0::alpha

* cpe:/o:debian:debian_linux:4.0::amd64

* cpe:/o:debian:debian_linux:4.0::arm

* cpe:/o:debian:debian_linux:4.0::hppa

* cpe:/o:debian:debian_linux:4.0::ia-32

* cpe:/o:debian:debian_linux:4.0::ia-64

* cpe:/o:debian:debian_linux:4.0::m68k

* cpe:/o:debian:debian_linux:4.0::mips

* cpe:/o:debian:debian_linux:4.0::mipsel

* cpe:/o:debian:debian_linux:4.0::powerpc

* cpe:/o:debian:debian_linux:4.0::s-390

* cpe:/o:debian:debian_linux:4.0::sparc

* cpe:/o:linux:kernel:2.4.36

* cpe:/o:linux:kernel:2.4.36.1

* cpe:/o:linux:kernel:2.4.36.2

* cpe:/o:linux:kernel:2.4.36.3

* cpe:/o:linux:kernel:2.4.36.4

* cpe:/o:linux:kernel:2.4.36.5

* cpe:/o:linux:kernel:2.6.21.6

* cpe:/o:linux:kernel:2.6.21.7

* cpe:/o:linux:kernel:2.6.22.11

* cpe:/o:linux:kernel:2.6.22.12

* cpe:/o:linux:kernel:2.6.22.13

* cpe:/o:linux:kernel:2.6.22.14

* cpe:/o:linux:kernel:2.6.22.15

* cpe:/o:linux:kernel:2.6.22.17

* cpe:/o:linux:kernel:2.6.22.8

* cpe:/o:linux:kernel:2.6.22_rc1

* cpe:/o:linux:kernel:2.6.22_rc7

* cpe:/o:linux:kernel:2.6.23.10

* cpe:/o:linux:kernel:2.6.24.1

* cpe:/o:linux:kernel:2.6.24.2

* cpe:/o:linux:kernel:2.6.24.6

* cpe:/o:linux:kernel:2.6.24_rc1

* cpe:/o:linux:kernel:2.6.25

* cpe:/o:linux:kernel:2.6.25.1

* cpe:/o:linux:kernel:2.6.25.2

* cpe:/o:linux:kernel:2.6.25.3

* cpe:/o:linux:kernel:2.6.25.4

* cpe:/o:linux:linux_kernel:2.4.0

* cpe:/o:linux:linux_kernel:2.4.0:test1

* cpe:/o:linux:linux_kernel:2.4.0:test10

* cpe:/o:linux:linux_kernel:2.4.0:test11

* cpe:/o:linux:linux_kernel:2.4.0:test12

* cpe:/o:linux:linux_kernel:2.4.0:test2

* cpe:/o:linux:linux_kernel:2.4.0:test3

* cpe:/o:linux:linux_kernel:2.4.0:test4

* cpe:/o:linux:linux_kernel:2.4.0:test5

* cpe:/o:linux:linux_kernel:2.4.0:test6

* cpe:/o:linux:linux_kernel:2.4.0:test7

* cpe:/o:linux:linux_kernel:2.4.0:test8

* cpe:/o:linux:linux_kernel:2.4.0:test9

* cpe:/o:linux:linux_kernel:2.4.1

* cpe:/o:linux:linux_kernel:2.4.10

* cpe:/o:linux:linux_kernel:2.4.11

* cpe:/o:linux:linux_kernel:2.4.12

* cpe:/o:linux:linux_kernel:2.4.13

* cpe:/o:linux:linux_kernel:2.4.14

* cpe:/o:linux:linux_kernel:2.4.15

* cpe:/o:linux:linux_kernel:2.4.16

* cpe:/o:linux:linux_kernel:2.4.17

* cpe:/o:linux:linux_kernel:2.4.18

* cpe:/o:linux:linux_kernel:2.4.18:pre1

* cpe:/o:linux:linux_kernel:2.4.18:pre2

* cpe:/o:linux:linux_kernel:2.4.18:pre3

* cpe:/o:linux:linux_kernel:2.4.18:pre4

* cpe:/o:linux:linux_kernel:2.4.18:pre5

* cpe:/o:linux:linux_kernel:2.4.18:pre6

* cpe:/o:linux:linux_kernel:2.4.18:pre7

* cpe:/o:linux:linux_kernel:2.4.18:pre8

* cpe:/o:linux:linux_kernel:2.4.19

* cpe:/o:linux:linux_kernel:2.4.19:pre1

* cpe:/o:linux:linux_kernel:2.4.19:pre2

* cpe:/o:linux:linux_kernel:2.4.19:pre3

* cpe:/o:linux:linux_kernel:2.4.19:pre4

* cpe:/o:linux:linux_kernel:2.4.19:pre5

* cpe:/o:linux:linux_kernel:2.4.19:pre6

* cpe:/o:linux:linux_kernel:2.4.2

* cpe:/o:linux:linux_kernel:2.4.20

* cpe:/o:linux:linux_kernel:2.4.21

* cpe:/o:linux:linux_kernel:2.4.21:pre1

* cpe:/o:linux:linux_kernel:2.4.21:pre4

* cpe:/o:linux:linux_kernel:2.4.21:pre7

* cpe:/o:linux:linux_kernel:2.4.22

* cpe:/o:linux:linux_kernel:2.4.23

* cpe:/o:linux:linux_kernel:2.4.23:pre9

* cpe:/o:linux:linux_kernel:2.4.23_ow2

* cpe:/o:linux:linux_kernel:2.4.24

* cpe:/o:linux:linux_kernel:2.4.24_ow1

* cpe:/o:linux:linux_kernel:2.4.25

* cpe:/o:linux:linux_kernel:2.4.26

* cpe:/o:linux:linux_kernel:2.4.27

* cpe:/o:linux:linux_kernel:2.4.27:pre1

* cpe:/o:linux:linux_kernel:2.4.27:pre2

* cpe:/o:linux:linux_kernel:2.4.27:pre3

* cpe:/o:linux:linux_kernel:2.4.27:pre4

* cpe:/o:linux:linux_kernel:2.4.27:pre5

* cpe:/o:linux:linux_kernel:2.4.28

* cpe:/o:linux:linux_kernel:2.4.29

* cpe:/o:linux:linux_kernel:2.4.29:rc1

* cpe:/o:linux:linux_kernel:2.4.29:rc2

* cpe:/o:linux:linux_kernel:2.4.3

* cpe:/o:linux:linux_kernel:2.4.30

* cpe:/o:linux:linux_kernel:2.4.30:rc2

* cpe:/o:linux:linux_kernel:2.4.30:rc3

* cpe:/o:linux:linux_kernel:2.4.31

* cpe:/o:linux:linux_kernel:2.4.31:pre1

* cpe:/o:linux:linux_kernel:2.4.32

* cpe:/o:linux:linux_kernel:2.4.32:pre1

* cpe:/o:linux:linux_kernel:2.4.32:pre2

* cpe:/o:linux:linux_kernel:2.4.33

* cpe:/o:linux:linux_kernel:2.4.33.2

* cpe:/o:linux:linux_kernel:2.4.33.3

* cpe:/o:linux:linux_kernel:2.4.33.4

* cpe:/o:linux:linux_kernel:2.4.33.5

* cpe:/o:linux:linux_kernel:2.4.33:pre1

* cpe:/o:linux:linux_kernel:2.4.34

* cpe:/o:linux:linux_kernel:2.4.35

* cpe:/o:linux:linux_kernel:2.4.4

* cpe:/o:linux:linux_kernel:2.4.5

* cpe:/o:linux:linux_kernel:2.4.6

* cpe:/o:linux:linux_kernel:2.4.7

* cpe:/o:linux:linux_kernel:2.4.8

* cpe:/o:linux:linux_kernel:2.4.9

* cpe:/o:linux:linux_kernel:2.6.0

* cpe:/o:linux:linux_kernel:2.6.0:test1

* cpe:/o:linux:linux_kernel:2.6.0:test2

* cpe:/o:linux:linux_kernel:2.6.0:test3

* cpe:/o:linux:linux_kernel:2.6.0:test4

* cpe:/o:linux:linux_kernel:2.6.0:test5

* cpe:/o:linux:linux_kernel:2.6.0:test6

* cpe:/o:linux:linux_kernel:2.6.0:test7

* cpe:/o:linux:linux_kernel:2.6.0:test8

* cpe:/o:linux:linux_kernel:2.6.0:test9

* cpe:/o:linux:linux_kernel:2.6.1

* cpe:/o:linux:linux_kernel:2.6.1:rc1

* cpe:/o:linux:linux_kernel:2.6.1:rc2

* cpe:/o:linux:linux_kernel:2.6.10

* cpe:/o:linux:linux_kernel:2.6.10:rc2

* cpe:/o:linux:linux_kernel:2.6.11

* cpe:/o:linux:linux_kernel:2.6.11.11

* cpe:/o:linux:linux_kernel:2.6.11.12

* cpe:/o:linux:linux_kernel:2.6.11.4

* cpe:/o:linux:linux_kernel:2.6.11.5

* cpe:/o:linux:linux_kernel:2.6.11.6

* cpe:/o:linux:linux_kernel:2.6.11.7

* cpe:/o:linux:linux_kernel:2.6.11.8

* cpe:/o:linux:linux_kernel:2.6.11:rc2

* cpe:/o:linux:linux_kernel:2.6.11:rc3

* cpe:/o:linux:linux_kernel:2.6.11:rc4

* cpe:/o:linux:linux_kernel:2.6.12

* cpe:/o:linux:linux_kernel:2.6.12.1

* cpe:/o:linux:linux_kernel:2.6.12.12

* cpe:/o:linux:linux_kernel:2.6.12.2

* cpe:/o:linux:linux_kernel:2.6.12.22

* cpe:/o:linux:linux_kernel:2.6.12.3

* cpe:/o:linux:linux_kernel:2.6.12.4

* cpe:/o:linux:linux_kernel:2.6.12.5

* cpe:/o:linux:linux_kernel:2.6.12.6

* cpe:/o:linux:linux_kernel:2.6.12:rc1

* cpe:/o:linux:linux_kernel:2.6.12:rc4

* cpe:/o:linux:linux_kernel:2.6.12:rc5

* cpe:/o:linux:linux_kernel:2.6.13

* cpe:/o:linux:linux_kernel:2.6.13.1

* cpe:/o:linux:linux_kernel:2.6.13.2

* cpe:/o:linux:linux_kernel:2.6.13.3

* cpe:/o:linux:linux_kernel:2.6.13.4

* cpe:/o:linux:linux_kernel:2.6.13:rc1

* cpe:/o:linux:linux_kernel:2.6.13:rc4

* cpe:/o:linux:linux_kernel:2.6.13:rc6

* cpe:/o:linux:linux_kernel:2.6.13:rc7

* cpe:/o:linux:linux_kernel:2.6.14

* cpe:/o:linux:linux_kernel:2.6.14.1

* cpe:/o:linux:linux_kernel:2.6.14.2

* cpe:/o:linux:linux_kernel:2.6.14.3

* cpe:/o:linux:linux_kernel:2.6.14.4

* cpe:/o:linux:linux_kernel:2.6.14.5

* cpe:/o:linux:linux_kernel:2.6.14:rc1

* cpe:/o:linux:linux_kernel:2.6.14:rc2

* cpe:/o:linux:linux_kernel:2.6.14:rc3

* cpe:/o:linux:linux_kernel:2.6.14:rc4

* cpe:/o:linux:linux_kernel:2.6.15

* cpe:/o:linux:linux_kernel:2.6.15.1

* cpe:/o:linux:linux_kernel:2.6.15.11

* cpe:/o:linux:linux_kernel:2.6.15.2

* cpe:/o:linux:linux_kernel:2.6.15.3

* cpe:/o:linux:linux_kernel:2.6.15.4

* cpe:/o:linux:linux_kernel:2.6.15.5

* cpe:/o:linux:linux_kernel:2.6.15:rc1

* cpe:/o:linux:linux_kernel:2.6.15:rc2

* cpe:/o:linux:linux_kernel:2.6.15:rc3

* cpe:/o:linux:linux_kernel:2.6.16

* cpe:/o:linux:linux_kernel:2.6.16.1

* cpe:/o:linux:linux_kernel:2.6.16.11

* cpe:/o:linux:linux_kernel:2.6.16.12

* cpe:/o:linux:linux_kernel:2.6.16.13

* cpe:/o:linux:linux_kernel:2.6.16.19

* cpe:/o:linux:linux_kernel:2.6.16.23

* cpe:/o:linux:linux_kernel:2.6.16.27

* cpe:/o:linux:linux_kernel:2.6.16.7

* cpe:/o:linux:linux_kernel:2.6.16.9

* cpe:/o:linux:linux_kernel:2.6.16:rc1

* cpe:/o:linux:linux_kernel:2.6.17

* cpe:/o:linux:linux_kernel:2.6.17.1

* cpe:/o:linux:linux_kernel:2.6.17.10

* cpe:/o:linux:linux_kernel:2.6.17.11

* cpe:/o:linux:linux_kernel:2.6.17.12

* cpe:/o:linux:linux_kernel:2.6.17.13

* cpe:/o:linux:linux_kernel:2.6.17.14

* cpe:/o:linux:linux_kernel:2.6.17.2

* cpe:/o:linux:linux_kernel:2.6.17.3

* cpe:/o:linux:linux_kernel:2.6.17.5

* cpe:/o:linux:linux_kernel:2.6.17.6

* cpe:/o:linux:linux_kernel:2.6.17.7

* cpe:/o:linux:linux_kernel:2.6.17.8

* cpe:/o:linux:linux_kernel:2.6.17:rc5

* cpe:/o:linux:linux_kernel:2.6.18

* cpe:/o:linux:linux_kernel:2.6.18.1

* cpe:/o:linux:linux_kernel:2.6.18.3

* cpe:/o:linux:linux_kernel:2.6.18.4

* cpe:/o:linux:linux_kernel:2.6.19.0

* cpe:/o:linux:linux_kernel:2.6.19.1

* cpe:/o:linux:linux_kernel:2.6.19.2

* cpe:/o:linux:linux_kernel:2.6.19:rc1

* cpe:/o:linux:linux_kernel:2.6.19:rc2

* cpe:/o:linux:linux_kernel:2.6.19:rc3

* cpe:/o:linux:linux_kernel:2.6.19:rc4

* cpe:/o:linux:linux_kernel:2.6.2

* cpe:/o:linux:linux_kernel:2.6.20

* cpe:/o:linux:linux_kernel:2.6.20.1

* cpe:/o:linux:linux_kernel:2.6.20.11

* cpe:/o:linux:linux_kernel:2.6.20.13

* cpe:/o:linux:linux_kernel:2.6.20.15

* cpe:/o:linux:linux_kernel:2.6.20.2

* cpe:/o:linux:linux_kernel:2.6.20.3

* cpe:/o:linux:linux_kernel:2.6.20.4

* cpe:/o:linux:linux_kernel:2.6.20.5

* cpe:/o:linux:linux_kernel:2.6.20.8

* cpe:/o:linux:linux_kernel:2.6.20.9

* cpe:/o:linux:linux_kernel:2.6.20:rc2

* cpe:/o:linux:linux_kernel:2.6.21

* cpe:/o:linux:linux_kernel:2.6.21.1

* cpe:/o:linux:linux_kernel:2.6.21.2

* cpe:/o:linux:linux_kernel:2.6.21:rc3

* cpe:/o:linux:linux_kernel:2.6.21:rc4

* cpe:/o:linux:linux_kernel:2.6.21:rc5

* cpe:/o:linux:linux_kernel:2.6.21:rc6

* cpe:/o:linux:linux_kernel:2.6.22

* cpe:/o:linux:linux_kernel:2.6.22.1

* cpe:/o:linux:linux_kernel:2.6.22.16

* cpe:/o:linux:linux_kernel:2.6.22.3

* cpe:/o:linux:linux_kernel:2.6.22.4

* cpe:/o:linux:linux_kernel:2.6.22.5

* cpe:/o:linux:linux_kernel:2.6.22.6

* cpe:/o:linux:linux_kernel:2.6.22.7

* cpe:/o:linux:linux_kernel:2.6.23

* cpe:/o:linux:linux_kernel:2.6.23.1

* cpe:/o:linux:linux_kernel:2.6.23.14

* cpe:/o:linux:linux_kernel:2.6.23.2

* cpe:/o:linux:linux_kernel:2.6.23.3

* cpe:/o:linux:linux_kernel:2.6.23.4

* cpe:/o:linux:linux_kernel:2.6.23.5

* cpe:/o:linux:linux_kernel:2.6.23.6

* cpe:/o:linux:linux_kernel:2.6.23.7

* cpe:/o:linux:linux_kernel:2.6.23.9

* cpe:/o:linux:linux_kernel:2.6.23:rc1

* cpe:/o:linux:linux_kernel:2.6.23:rc2

* cpe:/o:linux:linux_kernel:2.6.24:rc2

* cpe:/o:linux:linux_kernel:2.6.24:rc3

* cpe:/o:linux:linux_kernel:2.6_test9_cvs

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Buffer Errors (CWE-119)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1673