Vulnerability Details : CVE-2014-2523
net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.
Vulnerability category: Input validationExecute codeDenial of service
Products affected by CVE-2014-2523
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-2523
7.47%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-2523
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2014-2523
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-2523
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/91910
Linux Kernel /netfilter/nf_conntrack_proto_dccp.c file code execution CVE-2014-2523 Vulnerability ReportThird Party Advisory;VDB Entry
-
https://github.com/torvalds/linux/commit/b22f5126a24b3b2f15448c3f2a254fc10cbc2b92
netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages · torvalds/linux@b22f512 · GitHubPatch;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-2174-1
USN-2174-1: Linux kernel (EC2) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.securitytracker.com/id/1029945
Linux Kernel Netfilter DCCP Processing Flaw Lets Remote Users Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=1077343
1077343 – (CVE-2014-2523) CVE-2014-2523 kernel: netfilter: nf_conntrack_dccp: incorrect skb_header_pointer API usagesIssue Tracking;Third Party Advisory
-
http://www.securityfocus.com/bid/66279
Linux Kernel Multiple Function Remote Memory Corruption VulnerabilitiesThird Party Advisory;VDB Entry
-
http://www.ubuntu.com/usn/USN-2173-1
USN-2173-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2014/03/17/7
oss-security - Re: CVE Request: netfilter: remote memory corruption in nf_conntrack_proto_dccp.cMailing List;Patch;Third Party Advisory
-
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b22f5126a24b3b2f15448c3f2a254fc10cbc2b92
kernel/git/torvalds/linux.git - Linux kernel source treePatch;Vendor Advisory
-
http://twitter.com/grsecurity/statuses/445496197399461888
Twitter / ?Broken Link
Jump to