National Cyber-Alert System
Vulnerability Summary for CVE-2008-4618
Original release date:10/21/2008
Last revised:02/10/2009
Source:
US-CERT/NIST
Overview
The Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.27 does not properly handle a protocol violation in which a parameter has an invalid length, which allows attackers to cause a denial of service (panic) via unspecified vectors, related to sctp_sf_violation_paramlen, sctp_sf_abort_violation, sctp_make_abort_violation, and incorrect data types in function calls.
Impact
CVSS Severity (version 2.0):
Impact Subscore:
6.9
Exploitability Subscore:
10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
**NOTE: Access Complexity scored Low due to insufficient information
Authentication: Not required to exploit
Impact Type:Allows disruption of serviceUnknown
- Official Statement from Red Hat (01/22/2009)
-
The versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 were not affected by this issue.
This issue only affected the version of Linux kernel as shipped with Red Hat Enterprise MRG and was addressed via: https://rhn.redhat.com/errata/RHSA-2009-0009.html
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
External Source: UBUNTU
Name: USN-679-1
External Source: BID
Name: 31848
External Source: REDHAT
Name: RHSA-2009:0009
External Source: MLIST
Name: [oss-security] 20081006 CVE request: kernel: sctp: Fix kernel panic while process protocol violation parameter
External Source: CONFIRM
Name: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27
External Source: DEBIAN
Name: DSA-1681
External Source: SECUNIA
Name: 33586
External Source: SECUNIA
Name: 32998
External Source: SECUNIA
Name: 32918
External Source: SUSE
Name: SUSE-SA:2008:053
External Source: CONFIRM
Name: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.git;a=commit;h=ba0166708ef4da7eeb61dd92bbba4d5a749d6561