Vulnerabilities > CVE-2013-7470 - Resource Exhaustion vulnerability in Linux Kernel

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
high complexity
linux
CWE-400
nessus

Summary

cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.

Vulnerable Configurations

Part Description Count
OS
Linux
1896

Common Attack Pattern Enumeration and Classification (CAPEC)

  • XML Ping of the Death
    An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
  • XML Entity Expansion
    An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
  • Inducing Account Lockout
    An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
  • Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))
    XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. There are three primary attack vectors that XDoS can navigate Target CPU through recursion: attacker creates a recursive payload and sends to service provider Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects. XML Ping of death: attack service provider with numerous small files that clog the system. All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.

Nessus

  • NASL familyMisc.
    NASL idARISTA_EOS_SA0040.NASL
    descriptionThe version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability in the Linux kernel. An unauthenticated, remote attacker can exploit this, by sending malformed packets with rarely used packet options to a vulnerable switch. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-17
    modified2020-03-06
    plugin id134304
    published2020-03-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134304
    titleArista Networks EOS kernel DoS (SA0040)
    code
    #TRUSTED 04afdd26887d9e3372d1e53cc20a6d7432638abc9ff88ae148c6fd09a5c5028a11db27cb8f72c8d028c7341d77e7af63f3a60cfe098302433be1a6c051251eed47a2a377b75ee36356dbcd8d9b7cc47c454693d160bf4758aa7bc0244a5cce98f1d0678008348852e4d394af77ef335c7b5b6bd921f9b0b5253f92dc4ccca1015a12d348f00b50927e4bfa41c273a234b2b05af923031db17ff06c3d99ccbf1d285cf6575c11c1f5a72f8e058f14ba2925771a01feb0368193feab28d5df9529d6f51c14b2163cbad9e2539ab800c0061ed1d9871871f7bb2e16c768f77ef31e19a2681fd15df7ae3ec8e6cc3a76f9a3a8db1b2713a83a98100669cc8ba38a69f01bd917452163c315231285c64b570484c0d74ad6a8d4ab863b9cd8095901b0c9982972f6daf2d66451e6713f8ab1b373ae0d30a1cba4df423d69d8b3506e635e5d4c4c547e6a2a6d9645cd73ef909f6b46c1d494068afdd1a99e32d6d98ecd12c1388799553fd223dcdbf22761de1dcc028b4d92ff6f023c9e6443cddf22d8701b929ba5db56fd42ae8a0b1fc672d9c490121f7ba941da0f88d748041f7f0dfc1fbc7200dd603e458a9227f9f1251d501e358838cc1d0e1b50d3f3f12bcc4c5fbcd164de02576375c05f10ab01f338e7459890040a2c402c9b997fac2ecea96f1424eb56a7e17a73d20bc1cb10cf84440560046a1e7eeb6c0519adf1b1b97f
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(134304);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/10");
    
      script_cve_id("CVE-2013-7470");
    
      script_name(english:"Arista Networks EOS kernel DoS (SA0040)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability in
    the Linux kernel. An unauthenticated, remote attacker can exploit this, by sending malformed packets with rarely used 
    packet options to a vulnerable switch.
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      # https://www.arista.com/en/support/advisories-notices/security-advisories/7098-security-advisory-40
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fc9de589");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Arista Networks EOS version EOS-4.18.11M / EOS-4.19.12.1M or later. Alternatively, apply the patch
    referenced in the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-7470");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/06");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:arista:eos");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("arista_eos_detect.nbin");
      script_require_keys("Host/Arista-EOS/Version");
    
      exit(0);
    }
    
    
    include('arista_eos_func.inc');
    
    version = get_kb_item_or_exit('Host/Arista-EOS/Version');
    ext='SecurityAdvisory0040Hotfix.rpm 1.0.0/eng';
    sha='7eea494a74245a06369ed11798bbcd13f6782932ee5586fb289ec6fc5dae4a300bc745a0aec4fb0e348d85d03c2aca37ad97c55313ced0f4c1632888944d2b1d';
    
    if(eos_extension_installed(ext:ext, sha:sha))
      audit(AUDIT_HOST_NOT, 'affected as a relevant hotfix has been installed');
    
    vmatrix = make_array();
    vmatrix['all'] =  make_list('4.14<=4.17.99');
    vmatrix['F'] =    make_list('4.19.0',
                                '4.19.1',
                                '4.19.2',
                                '4.19.2.1',
                                '4.19.2.2',
                                '4.19.2.3',
                                '4.19.3',
                                '4.18.0',
                                '4.18.2',
                                '4.18.1.1',
                                '4.18.2',
                                '4.18.2.1',
                                '4.18.3.1',
                                '4.18.4',
                                '4.18.4.1',
                                '4.18.4.2',
                                '4.18.5');
    
    vmatrix['M'] =    make_list('4.19.4',
                                '4.19.4.1',
                                '4.19.5',
                                '4.19.6',
                                '4.19.6.1',
                                '4.19.6.2',
                                '4.19.6.3',
                                '4.19.7',
                                '4.19.8',
                                '4.19.9',
                                '4.19.10',
                                '4.19.11',
                                '4.19.12',
                                '4.18.3',
                                '4.18.6',
                                '4.18.7',
                                '4.18.8',
                                '4.18.9',
                                '4.18.10');
    
    vmatrix['fix'] = '4.18.11M / 4.19.12.1M';
    
    if (eos_is_affected(vmatrix:vmatrix, version:version))
      security_report_v4(severity:SECURITY_HOLE, port:0, extra:eos_report_get());
    else
      audit(AUDIT_INST_VER_NOT_VULN, 'Arista Networks EOS', version);
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1636.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.(CVE-2019-11815)A flaw was found in the Linux kernel
    last seen2020-04-16
    modified2019-05-30
    plugin id125588
    published2019-05-30
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125588
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1636)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125588);
      script_version("1.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/14");
    
      script_cve_id(
        "CVE-2013-7470",
        "CVE-2018-16880",
        "CVE-2018-19406",
        "CVE-2018-19985",
        "CVE-2019-11815",
        "CVE-2019-3459",
        "CVE-2019-3460",
        "CVE-2019-3819",
        "CVE-2019-3837",
        "CVE-2019-3882",
        "CVE-2019-3900",
        "CVE-2019-3901",
        "CVE-2019-8956",
        "CVE-2019-9213"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1636)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The kernel package contains the Linux kernel (vmlinuz),
        the core of any Linux operating system. The kernel
        handles the basic functions of the operating system:
        memory allocation, process allocation, device input and
        output, etc.Security Fix(es):An issue was discovered in
        rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel
        before 5.0.8. There is a race condition leading to a
        use-after-free, related to net namespace
        cleanup.(CVE-2019-11815)A flaw was found in the Linux
        kernel's handle_rx() function in the vhost_net driver.
        A malicious virtual guest, under specific conditions,
        can trigger an out-of-bounds write in a kmalloc-8 slab
        on a virtual host which may lead to a kernel memory
        corruption and a system panic. Due to the nature of the
        flaw, privilege escalation cannot be fully ruled
        out.(CVE-2018-16880)A NULL pointer dereference security
        flaw was found in the Linux kernel in kvm_pv_send_ipi()
        in arch/x86/kvm/lapic.c. This allows local users with
        certain privileges to cause a denial of service via a
        crafted system call to the KVM
        subsystem.(CVE-2018-19406)The function
        hso_get_config_data in driverset/usb/hso.c in the Linux
        kernel through 4.19.8 reads if_num from the USB device
        (as a u8) and uses it to index a small array, resulting
        in an object out-of-bounds (OOB) read that potentially
        allows arbitrary read in the kernel address
        space.(CVE-2018-19985)** RESERVED ** This candidate has
        been reserved by an organization or individual that
        will use it when announcing a new security problem.
        When the candidate has been publicized, the details for
        this candidate will be provided.(CVE-2019-3459)**
        RESERVED ** This candidate has been reserved by an
        organization or individual that will use it when
        announcing a new security problem. When the candidate
        has been publicized, the details for this candidate
        will be provided.(CVE-2019-3460)A flaw was found in the
        Linux kernel in the function hid_debug_events_read() in
        the drivers/hid/hid-debug.c file which may enter an
        infinite loop with certain parameters passed from a
        userspace. A local privileged user ('root') can cause a
        system lock up and a denial of
        service.(CVE-2019-3819)In the Linux kernel before
        4.20.14, expand_downwards in mm/mmap.c lacks a check
        for the mmap minimum address, which makes it easier for
        attackers to exploit kernel NULL pointer dereferences
        on non-SMAP platforms. This is related to a capability
        check for the wrong task.(CVE-2019-9213)A flaw was
        found in the Linux kernel's vfio interface
        implementation that permits violation of the user's
        locked memory limit. If a device is bound to a vfio
        driver, such as vfio-pci, and the local attacker is
        administratively granted ownership of the device, it
        may cause a system memory exhaustion and thus a denial
        of service (DoS). Versions 3.10, 4.14 and 4.18 are
        vulnerable.(CVE-2019-3882)An infinite loop issue was
        found in the vhost_net kernel module in Linux Kernel up
        to and including v5.1-rc6, while handling incoming
        packets in handle_rx(). It could occur if one end sends
        packets faster than the other end can process them. A
        guest user, maybe remote one, could use this flaw to
        stall the vhost_net kernel thread, resulting in a DoS
        scenario.(CVE-2019-3900)It was found that the net_dma
        code in tcp_recvmsg() in the 2.6.32 kernel as shipped
        in RHEL6 is thread-unsafe. So an unprivileged
        multi-threaded userspace application calling recvmsg()
        for the same network socket in parallel executed on
        ioatdma-enabled hardware with net_dma enabled can leak
        the memory, crash the host leading to a
        denial-of-service or cause a random memory
        corruption.(CVE-2019-3837)A race condition in
        perf_event_open() allows local attackers to leak
        sensitive data from setuid programs. As no relevant
        locks (in particular the cred_guard_mutex) are held
        during the ptrace_may_access() call, it is possible for
        the specified target task to perform an execve()
        syscall with setuid execution before perf_event_alloc()
        actually attaches to it, allowing an attacker to bypass
        the ptrace_may_access() check and the
        perf_event_exit_task(current) call that is performed in
        install_exec_creds() during privileged execve() calls.
        This issue affects kernel versions before 4.8.
        (CVE-2019-3901)** RESERVED ** This candidate has been
        reserved by an organization or individual that will use
        it when announcing a new security problem. When the
        candidate has been publicized, the details for this
        candidate will be
        provided.(CVE-2019-8956)cipso_v4_validate in
        includeet/cipso_ipv4.h in the Linux kernel before
        3.11.7, when CONFIG_NETLABEL is disabled, allows
        attackers to cause a denial of service (infinite loop
        and crash), as demonstrated by icmpsic, a different
        vulnerability than CVE-2013-0310.(CVE-2013-7470)Note1:
        kernel-4.19.36-vhulk1907.1.0.h529 and earlier versions
        in EulerOS Virtualization for ARM 64 3.0.2.0 return
        incorrect time information when executing the uname -a
        command.Note2: The kernel version number naming format
        has been changed after 4.19.36-1.2.184.aarch64, the new
        version format is 4.19.36-vhulk1907.1.0.hxxx.aarch64,
        which may lead to false positives of this security
        advisory.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1636
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5118fa2c");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/30");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.36-1.2.159",
            "kernel-devel-4.19.36-1.2.159",
            "kernel-headers-4.19.36-1.2.159",
            "kernel-tools-4.19.36-1.2.159",
            "kernel-tools-libs-4.19.36-1.2.159",
            "kernel-tools-libs-devel-4.19.36-1.2.159",
            "perf-4.19.36-1.2.159",
            "python-perf-4.19.36-1.2.159"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }