Vulnerabilities > CVE-2013-7470 - Resource Exhaustion vulnerability in Linux Kernel

047910
CVSS 7.1 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
linux
CWE-400
nessus
NVD
Published: 2019-04-23
Updated: 2021-11-17

Summary

cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.

Vulnerable Configurations

Part Description Count
OS
Linux
1835

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • XML Ping of the Death
    An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
  • XML Entity Expansion
    An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
  • Inducing Account Lockout
    An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
  • Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))
    XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. There are three primary attack vectors that XDoS can navigate Target CPU through recursion: attacker creates a recursive payload and sends to service provider Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects. XML Ping of death: attack service provider with numerous small files that clog the system. All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.

Nessus

  • NASL familyMisc.
    NASL idARISTA_EOS_SA0040.NASL
    descriptionThe version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability in the Linux kernel. An unauthenticated, remote attacker can exploit this, by sending malformed packets with rarely used packet options to a vulnerable switch. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-17
    modified2020-03-06
    plugin id134304
    published2020-03-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134304
    titleArista Networks EOS kernel DoS (SA0040)
    code
    #TRUSTED 04afdd26887d9e3372d1e53cc20a6d7432638abc9ff88ae148c6fd09a5c5028a11db27cb8f72c8d028c7341d77e7af63f3a60cfe098302433be1a6c051251eed47a2a377b75ee36356dbcd8d9b7cc47c454693d160bf4758aa7bc0244a5cce98f1d0678008348852e4d394af77ef335c7b5b6bd921f9b0b5253f92dc4ccca1015a12d348f00b50927e4bfa41c273a234b2b05af923031db17ff06c3d99ccbf1d285cf6575c11c1f5a72f8e058f14ba2925771a01feb0368193feab28d5df9529d6f51c14b2163cbad9e2539ab800c0061ed1d9871871f7bb2e16c768f77ef31e19a2681fd15df7ae3ec8e6cc3a76f9a3a8db1b2713a83a98100669cc8ba38a69f01bd917452163c315231285c64b570484c0d74ad6a8d4ab863b9cd8095901b0c9982972f6daf2d66451e6713f8ab1b373ae0d30a1cba4df423d69d8b3506e635e5d4c4c547e6a2a6d9645cd73ef909f6b46c1d494068afdd1a99e32d6d98ecd12c1388799553fd223dcdbf22761de1dcc028b4d92ff6f023c9e6443cddf22d8701b929ba5db56fd42ae8a0b1fc672d9c490121f7ba941da0f88d748041f7f0dfc1fbc7200dd603e458a9227f9f1251d501e358838cc1d0e1b50d3f3f12bcc4c5fbcd164de02576375c05f10ab01f338e7459890040a2c402c9b997fac2ecea96f1424eb56a7e17a73d20bc1cb10cf84440560046a1e7eeb6c0519adf1b1b97f
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(134304);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/10");

  script_cve_id("CVE-2013-7470");

  script_name(english:"Arista Networks EOS kernel DoS (SA0040)");

  script_set_attribute(attribute:"synopsis", value:
"The version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability in
the Linux kernel. An unauthenticated, remote attacker can exploit this, by sending malformed packets with rarely used 
packet options to a vulnerable switch.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://www.arista.com/en/support/advisories-notices/security-advisories/7098-security-advisory-40
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fc9de589");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Arista Networks EOS version EOS-4.18.11M / EOS-4.19.12.1M or later. Alternatively, apply the patch
referenced in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-7470");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/04/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/06");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:arista:eos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("arista_eos_detect.nbin");
  script_require_keys("Host/Arista-EOS/Version");

  exit(0);
}


include('arista_eos_func.inc');

version = get_kb_item_or_exit('Host/Arista-EOS/Version');
ext='SecurityAdvisory0040Hotfix.rpm 1.0.0/eng';
sha='7eea494a74245a06369ed11798bbcd13f6782932ee5586fb289ec6fc5dae4a300bc745a0aec4fb0e348d85d03c2aca37ad97c55313ced0f4c1632888944d2b1d';

if(eos_extension_installed(ext:ext, sha:sha))
  audit(AUDIT_HOST_NOT, 'affected as a relevant hotfix has been installed');

vmatrix = make_array();
vmatrix['all'] =  make_list('4.14<=4.17.99');
vmatrix['F'] =    make_list('4.19.0',
                            '4.19.1',
                            '4.19.2',
                            '4.19.2.1',
                            '4.19.2.2',
                            '4.19.2.3',
                            '4.19.3',
                            '4.18.0',
                            '4.18.2',
                            '4.18.1.1',
                            '4.18.2',
                            '4.18.2.1',
                            '4.18.3.1',
                            '4.18.4',
                            '4.18.4.1',
                            '4.18.4.2',
                            '4.18.5');

vmatrix['M'] =    make_list('4.19.4',
                            '4.19.4.1',
                            '4.19.5',
                            '4.19.6',
                            '4.19.6.1',
                            '4.19.6.2',
                            '4.19.6.3',
                            '4.19.7',
                            '4.19.8',
                            '4.19.9',
                            '4.19.10',
                            '4.19.11',
                            '4.19.12',
                            '4.18.3',
                            '4.18.6',
                            '4.18.7',
                            '4.18.8',
                            '4.18.9',
                            '4.18.10');

vmatrix['fix'] = '4.18.11M / 4.19.12.1M';

if (eos_is_affected(vmatrix:vmatrix, version:version))
  security_report_v4(severity:SECURITY_HOLE, port:0, extra:eos_report_get());
else
  audit(AUDIT_INST_VER_NOT_VULN, 'Arista Networks EOS', version);
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1636.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.(CVE-2019-11815)A flaw was found in the Linux kernel
    last seen2020-04-16
    modified2019-05-30
    plugin id125588
    published2019-05-30
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125588
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1636)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(125588);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/14");

  script_cve_id(
    "CVE-2013-7470",
    "CVE-2018-16880",
    "CVE-2018-19406",
    "CVE-2018-19985",
    "CVE-2019-11815",
    "CVE-2019-3459",
    "CVE-2019-3460",
    "CVE-2019-3819",
    "CVE-2019-3837",
    "CVE-2019-3882",
    "CVE-2019-3900",
    "CVE-2019-3901",
    "CVE-2019-8956",
    "CVE-2019-9213"
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1636)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),
    the core of any Linux operating system. The kernel
    handles the basic functions of the operating system:
    memory allocation, process allocation, device input and
    output, etc.Security Fix(es):An issue was discovered in
    rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel
    before 5.0.8. There is a race condition leading to a
    use-after-free, related to net namespace
    cleanup.(CVE-2019-11815)A flaw was found in the Linux
    kernel's handle_rx() function in the vhost_net driver.
    A malicious virtual guest, under specific conditions,
    can trigger an out-of-bounds write in a kmalloc-8 slab
    on a virtual host which may lead to a kernel memory
    corruption and a system panic. Due to the nature of the
    flaw, privilege escalation cannot be fully ruled
    out.(CVE-2018-16880)A NULL pointer dereference security
    flaw was found in the Linux kernel in kvm_pv_send_ipi()
    in arch/x86/kvm/lapic.c. This allows local users with
    certain privileges to cause a denial of service via a
    crafted system call to the KVM
    subsystem.(CVE-2018-19406)The function
    hso_get_config_data in driverset/usb/hso.c in the Linux
    kernel through 4.19.8 reads if_num from the USB device
    (as a u8) and uses it to index a small array, resulting
    in an object out-of-bounds (OOB) read that potentially
    allows arbitrary read in the kernel address
    space.(CVE-2018-19985)** RESERVED ** This candidate has
    been reserved by an organization or individual that
    will use it when announcing a new security problem.
    When the candidate has been publicized, the details for
    this candidate will be provided.(CVE-2019-3459)**
    RESERVED ** This candidate has been reserved by an
    organization or individual that will use it when
    announcing a new security problem. When the candidate
    has been publicized, the details for this candidate
    will be provided.(CVE-2019-3460)A flaw was found in the
    Linux kernel in the function hid_debug_events_read() in
    the drivers/hid/hid-debug.c file which may enter an
    infinite loop with certain parameters passed from a
    userspace. A local privileged user ('root') can cause a
    system lock up and a denial of
    service.(CVE-2019-3819)In the Linux kernel before
    4.20.14, expand_downwards in mm/mmap.c lacks a check
    for the mmap minimum address, which makes it easier for
    attackers to exploit kernel NULL pointer dereferences
    on non-SMAP platforms. This is related to a capability
    check for the wrong task.(CVE-2019-9213)A flaw was
    found in the Linux kernel's vfio interface
    implementation that permits violation of the user's
    locked memory limit. If a device is bound to a vfio
    driver, such as vfio-pci, and the local attacker is
    administratively granted ownership of the device, it
    may cause a system memory exhaustion and thus a denial
    of service (DoS). Versions 3.10, 4.14 and 4.18 are
    vulnerable.(CVE-2019-3882)An infinite loop issue was
    found in the vhost_net kernel module in Linux Kernel up
    to and including v5.1-rc6, while handling incoming
    packets in handle_rx(). It could occur if one end sends
    packets faster than the other end can process them. A
    guest user, maybe remote one, could use this flaw to
    stall the vhost_net kernel thread, resulting in a DoS
    scenario.(CVE-2019-3900)It was found that the net_dma
    code in tcp_recvmsg() in the 2.6.32 kernel as shipped
    in RHEL6 is thread-unsafe. So an unprivileged
    multi-threaded userspace application calling recvmsg()
    for the same network socket in parallel executed on
    ioatdma-enabled hardware with net_dma enabled can leak
    the memory, crash the host leading to a
    denial-of-service or cause a random memory
    corruption.(CVE-2019-3837)A race condition in
    perf_event_open() allows local attackers to leak
    sensitive data from setuid programs. As no relevant
    locks (in particular the cred_guard_mutex) are held
    during the ptrace_may_access() call, it is possible for
    the specified target task to perform an execve()
    syscall with setuid execution before perf_event_alloc()
    actually attaches to it, allowing an attacker to bypass
    the ptrace_may_access() check and the
    perf_event_exit_task(current) call that is performed in
    install_exec_creds() during privileged execve() calls.
    This issue affects kernel versions before 4.8.
    (CVE-2019-3901)** RESERVED ** This candidate has been
    reserved by an organization or individual that will use
    it when announcing a new security problem. When the
    candidate has been publicized, the details for this
    candidate will be
    provided.(CVE-2019-8956)cipso_v4_validate in
    includeet/cipso_ipv4.h in the Linux kernel before
    3.11.7, when CONFIG_NETLABEL is disabled, allows
    attackers to cause a denial of service (infinite loop
    and crash), as demonstrated by icmpsic, a different
    vulnerability than CVE-2013-0310.(CVE-2013-7470)Note1:
    kernel-4.19.36-vhulk1907.1.0.h529 and earlier versions
    in EulerOS Virtualization for ARM 64 3.0.2.0 return
    incorrect time information when executing the uname -a
    command.Note2: The kernel version number naming format
    has been changed after 4.19.36-1.2.184.aarch64, the new
    version format is 4.19.36-vhulk1907.1.0.hxxx.aarch64,
    which may lead to false positives of this security
    advisory.

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1636
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5118fa2c");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/30");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.36-1.2.159",
        "kernel-devel-4.19.36-1.2.159",
        "kernel-headers-4.19.36-1.2.159",
        "kernel-tools-4.19.36-1.2.159",
        "kernel-tools-libs-4.19.36-1.2.159",
        "kernel-tools-libs-devel-4.19.36-1.2.159",
        "perf-4.19.36-1.2.159",
        "python-perf-4.19.36-1.2.159"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

References