Bug 462599 - (CVE-2008-4445) CVE-2008-4445 kernel: sctp: fix random memory dereference with SCTP_HMAC_IDENT option
CVE-2008-4445 kernel: sctp: fix random memory dereference with SCTP_HMAC_IDEN...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20080827,repor...
: Security
Depends On: 460395
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-17 09:27 EDT by Eugene Teo (Security Response)
Modified: 2010-12-21 12:39 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-21 12:39:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2008-09-17 09:27:05 EDT
Description of problem:
Eugene Teo reported that the number of HMAC identifiers need to be checked against the option length. Also, the identifier index provided needs to be verified to make sure that it does not exceed the bounds of the array. However, this does not have a security consequence as it is saved by a couple of conditions in the sctp_auth_ep_set_hmacs routine.

Reference:
8.1.19.  Get or set the list of supported HMAC Identifiers (SCTP_HMAC_IDENT)
http://ietfreport.isoc.org/idref/draft-ietf-tsvwg-sctpsocket/

Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=d97240552cd98c4b07322f30f66fd9c3ba4171de

It depends on bug #459956.
Comment 3 Eugene Teo (Security Response) 2008-09-17 10:14:44 EDT
(In reply to comment #0)
> Description of problem:
> Eugene Teo reported that the number of HMAC identifiers need to be checked
> against the option length. Also, the identifier index provided needs to be
> verified to make sure that it does not exceed the bounds of the array. However,
> this does not have a security consequence as it is saved by a couple of
> conditions in the sctp_auth_ep_set_hmacs routine.

Not really. This could result in a possible information disclosure via sctp_getsockopt_hmac_ident().
Comment 7 Vincent Danen 2010-12-21 12:39:56 EST
This was addressed via:

MRG Realtime for RHEL 5 Server (RHSA-2008:0857)

Note You need to log in before you can comment on or make changes to this bug.