CVE-2013-2635 : The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain str

The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.

Published 2013-03-22 11:59:12

Updated 2014-02-07 04:47:17

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2013-2635

Probability of exploitation activity in the next 30 days: 0.12%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 45 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-2635

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
1.9	LOW	AV:L/AC:M/Au:N/C:P/I:N/A:N	3.4	2.9	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2013-2635

CWE-399

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-2635

https://bugzilla.redhat.com/show_bug.cgi?id=923652

923652 – (CVE-2013-1873) CVE-2013-1873 Kernel: information leaks via netlink interface

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1813-1

USN-1813-1: Linux kernel vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-1051.html

RHSA-2013:1051 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1812-1

USN-1812-1: Linux kernel (Quantal HWE) vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00018.html

[security-announce] openSUSE-SU-2013:1187-1: important: 3.0.80 kernel up

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1811-1

USN-1811-1: Linux kernel (OMAP4) vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.4

CVEs referencing this url
http://www.mandriva.com/security/advisories?name=MDVSA-2013:176

mandriva.com

CVEs referencing this url
https://github.com/torvalds/linux/commit/84d73cd3fb142bf1298a8c13fd4ca50fd2432372

rtnl: fix info leak on RTM_GETLINK request for VF devices · torvalds/linux@84d73cd · GitHub
Patch
http://www.ubuntu.com/usn/USN-1814-1

USN-1814-1: Linux kernel (OMAP4) vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2013/03/20/1

oss-security - Re: Linux kernel: net - three info leaks in rtnl

CVEs referencing this url
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=84d73cd3fb142bf1298a8c13fd4ca50fd2432372

kernel/git/torvalds/linux.git - Linux kernel source tree
Patch
http://lists.opensuse.org/opensuse-updates/2013-12/msg00129.html

openSUSE-SU-2013:1971-1: moderate: kernel: security and bugfix update

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1809-1

USN-1809-1: Linux kernel vulnerabilities | Ubuntu security notices

CVEs referencing this url

Products affected by CVE-2013-2635

Linux » Linux Kernel
Versions up to, including, (<=) 3.8.3
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 3.8.1
cpe:2.3:o:linux:linux_kernel:3.8.1:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 3.8.2
cpe:2.3:o:linux:linux_kernel:3.8.2:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 3.8.0
cpe:2.3:o:linux:linux_kernel:3.8.0:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2013-2635

Exploit prediction scoring system (EPSS) score for CVE-2013-2635

CVSS scores for CVE-2013-2635

CWE ids for CVE-2013-2635

References for CVE-2013-2635

Products affected by CVE-2013-2635