CVE-2016-9555

kernel: Slab out-of-bounds access in sctp_sf_ootb()

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data.

La función sctp_sf_ootb en net/sctp/sm_statefuns.c en el kernel Linux en versiones anteriores a 4.8.8 carece de comprobación de longitud de fragmento para el primer fragmento, lo que permite a atacantes remotos provocar una denegación de servicio (acceso slab fuera de límites) o tener otro posible impacto no especificado a través de datos SCTP manipulados.

A flaw was found in the Linux kernel's implementation of the SCTP protocol. A remote attacker could trigger an out-of-bounds read with an offset of up to 64kB potentially causing the system to crash.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-11-22 CVE Reserved
2016-11-28 CVE Published
2024-02-29 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (24)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2016/11/22/18	Mailing List
http://www.securityfocus.com/bid/94479	Third Party Advisory
http://www.securitytracker.com/id/1037339	Third Party Advisory
https://bto.bluecoat.com/security-advisory/sa134	Third Party Advisory
https://groups.google.com/forum/#%21topic/syzkaller/pAUcHsUJbjk	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bf911e985d6bbaa328c20c3e05f4eb03de11fdd6	2023-11-07
https://github.com/torvalds/linux/commit/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00044.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00054.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00055.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00056.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00067.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00070.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00073.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00076.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00077.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00087.html	2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-0086.html	2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-0091.html	2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-0113.html	2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-0307.html	2023-11-07
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.8	2023-11-07
https://bugzilla.redhat.com/show_bug.cgi?id=1397930	2017-02-23
https://access.redhat.com/security/cve/CVE-2016-9555	2017-02-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.2 < 3.2.85 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.2 < 3.2.85"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.3 < 3.10.105 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.10.105"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.11 < 3.12.68 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.68"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 3.16.40 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.16.40"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.17 < 3.18.49 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.49"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 4.4.32 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.4.32"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.5.0 < 4.8.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5.0 < 4.8.8"		-		Affected