Vulnerabilities > CVE-2013-7470 - Resource Exhaustion vulnerability in Linux Kernel
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- XML Ping of the Death An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
- XML Entity Expansion An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
- Inducing Account Lockout An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
- Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS)) XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. There are three primary attack vectors that XDoS can navigate Target CPU through recursion: attacker creates a recursive payload and sends to service provider Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects. XML Ping of death: attack service provider with numerous small files that clog the system. All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.
Nessus
NASL family Misc. NASL id ARISTA_EOS_SA0040.NASL description The version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability in the Linux kernel. An unauthenticated, remote attacker can exploit this, by sending malformed packets with rarely used packet options to a vulnerable switch. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-03-17 modified 2020-03-06 plugin id 134304 published 2020-03-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134304 title Arista Networks EOS kernel DoS (SA0040) code #TRUSTED 04afdd26887d9e3372d1e53cc20a6d7432638abc9ff88ae148c6fd09a5c5028a11db27cb8f72c8d028c7341d77e7af63f3a60cfe098302433be1a6c051251eed47a2a377b75ee36356dbcd8d9b7cc47c454693d160bf4758aa7bc0244a5cce98f1d0678008348852e4d394af77ef335c7b5b6bd921f9b0b5253f92dc4ccca1015a12d348f00b50927e4bfa41c273a234b2b05af923031db17ff06c3d99ccbf1d285cf6575c11c1f5a72f8e058f14ba2925771a01feb0368193feab28d5df9529d6f51c14b2163cbad9e2539ab800c0061ed1d9871871f7bb2e16c768f77ef31e19a2681fd15df7ae3ec8e6cc3a76f9a3a8db1b2713a83a98100669cc8ba38a69f01bd917452163c315231285c64b570484c0d74ad6a8d4ab863b9cd8095901b0c9982972f6daf2d66451e6713f8ab1b373ae0d30a1cba4df423d69d8b3506e635e5d4c4c547e6a2a6d9645cd73ef909f6b46c1d494068afdd1a99e32d6d98ecd12c1388799553fd223dcdbf22761de1dcc028b4d92ff6f023c9e6443cddf22d8701b929ba5db56fd42ae8a0b1fc672d9c490121f7ba941da0f88d748041f7f0dfc1fbc7200dd603e458a9227f9f1251d501e358838cc1d0e1b50d3f3f12bcc4c5fbcd164de02576375c05f10ab01f338e7459890040a2c402c9b997fac2ecea96f1424eb56a7e17a73d20bc1cb10cf84440560046a1e7eeb6c0519adf1b1b97f # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(134304); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/10"); script_cve_id("CVE-2013-7470"); script_name(english:"Arista Networks EOS kernel DoS (SA0040)"); script_set_attribute(attribute:"synopsis", value: "The version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "The version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability in the Linux kernel. An unauthenticated, remote attacker can exploit this, by sending malformed packets with rarely used packet options to a vulnerable switch. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://www.arista.com/en/support/advisories-notices/security-advisories/7098-security-advisory-40 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fc9de589"); script_set_attribute(attribute:"solution", value: "Upgrade to Arista Networks EOS version EOS-4.18.11M / EOS-4.19.12.1M or later. Alternatively, apply the patch referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-7470"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/16"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/06"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:arista:eos"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("arista_eos_detect.nbin"); script_require_keys("Host/Arista-EOS/Version"); exit(0); } include('arista_eos_func.inc'); version = get_kb_item_or_exit('Host/Arista-EOS/Version'); ext='SecurityAdvisory0040Hotfix.rpm 1.0.0/eng'; sha='7eea494a74245a06369ed11798bbcd13f6782932ee5586fb289ec6fc5dae4a300bc745a0aec4fb0e348d85d03c2aca37ad97c55313ced0f4c1632888944d2b1d'; if(eos_extension_installed(ext:ext, sha:sha)) audit(AUDIT_HOST_NOT, 'affected as a relevant hotfix has been installed'); vmatrix = make_array(); vmatrix['all'] = make_list('4.14<=4.17.99'); vmatrix['F'] = make_list('4.19.0', '4.19.1', '4.19.2', '4.19.2.1', '4.19.2.2', '4.19.2.3', '4.19.3', '4.18.0', '4.18.2', '4.18.1.1', '4.18.2', '4.18.2.1', '4.18.3.1', '4.18.4', '4.18.4.1', '4.18.4.2', '4.18.5'); vmatrix['M'] = make_list('4.19.4', '4.19.4.1', '4.19.5', '4.19.6', '4.19.6.1', '4.19.6.2', '4.19.6.3', '4.19.7', '4.19.8', '4.19.9', '4.19.10', '4.19.11', '4.19.12', '4.18.3', '4.18.6', '4.18.7', '4.18.8', '4.18.9', '4.18.10'); vmatrix['fix'] = '4.18.11M / 4.19.12.1M'; if (eos_is_affected(vmatrix:vmatrix, version:version)) security_report_v4(severity:SECURITY_HOLE, port:0, extra:eos_report_get()); else audit(AUDIT_INST_VER_NOT_VULN, 'Arista Networks EOS', version);
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1636.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.(CVE-2019-11815)A flaw was found in the Linux kernel last seen 2020-04-16 modified 2019-05-30 plugin id 125588 published 2019-05-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125588 title EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1636) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(125588); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/14"); script_cve_id( "CVE-2013-7470", "CVE-2018-16880", "CVE-2018-19406", "CVE-2018-19985", "CVE-2019-11815", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-3819", "CVE-2019-3837", "CVE-2019-3882", "CVE-2019-3900", "CVE-2019-3901", "CVE-2019-8956", "CVE-2019-9213" ); script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1636)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS Virtualization for ARM 64 host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.(CVE-2019-11815)A flaw was found in the Linux kernel's handle_rx() function in the vhost_net driver. A malicious virtual guest, under specific conditions, can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.(CVE-2018-16880)A NULL pointer dereference security flaw was found in the Linux kernel in kvm_pv_send_ipi() in arch/x86/kvm/lapic.c. This allows local users with certain privileges to cause a denial of service via a crafted system call to the KVM subsystem.(CVE-2018-19406)The function hso_get_config_data in driverset/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space.(CVE-2018-19985)** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2019-3459)** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2019-3460)A flaw was found in the Linux kernel in the function hid_debug_events_read() in the drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') can cause a system lock up and a denial of service.(CVE-2019-3819)In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.(CVE-2019-9213)A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable.(CVE-2019-3882)An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario.(CVE-2019-3900)It was found that the net_dma code in tcp_recvmsg() in the 2.6.32 kernel as shipped in RHEL6 is thread-unsafe. So an unprivileged multi-threaded userspace application calling recvmsg() for the same network socket in parallel executed on ioatdma-enabled hardware with net_dma enabled can leak the memory, crash the host leading to a denial-of-service or cause a random memory corruption.(CVE-2019-3837)A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2019-8956)cipso_v4_validate in includeet/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.(CVE-2013-7470)Note1: kernel-4.19.36-vhulk1907.1.0.h529 and earlier versions in EulerOS Virtualization for ARM 64 3.0.2.0 return incorrect time information when executing the uname -a command.Note2: The kernel version number naming format has been changed after 4.19.36-1.2.184.aarch64, the new version format is 4.19.36-vhulk1907.1.0.hxxx.aarch64, which may lead to false positives of this security advisory. Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1636 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5118fa2c"); script_set_attribute(attribute:"solution", value: "Update the affected kernel packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/30"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0"); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu); flag = 0; pkgs = ["kernel-4.19.36-1.2.159", "kernel-devel-4.19.36-1.2.159", "kernel-headers-4.19.36-1.2.159", "kernel-tools-4.19.36-1.2.159", "kernel-tools-libs-4.19.36-1.2.159", "kernel-tools-libs-devel-4.19.36-1.2.159", "perf-4.19.36-1.2.159", "python-perf-4.19.36-1.2.159"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }
References
- https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.11.7
- https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.11.7
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b
- https://github.com/torvalds/linux/commit/f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b
- https://github.com/torvalds/linux/commit/f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b
- https://support.f5.com/csp/article/K21914362
- https://support.f5.com/csp/article/K21914362
- https://www.arista.com/en/support/advisories-notices/security-advisories/7098-security-advisory-40
- https://www.arista.com/en/support/advisories-notices/security-advisories/7098-security-advisory-40