Vulnerability Details : CVE-2014-2523

net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.

Vulnerability category: Input validationExecute codeDenial of service

Published 2014-03-24 16:40:48

Updated 2023-01-19 16:26:35

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2014-2523

Probability of exploitation activity in the next 30 days: 7.47%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-2523

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	[email protected]
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2014-2523

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: [email protected] (Primary)

References for CVE-2014-2523

https://exchange.xforce.ibmcloud.com/vulnerabilities/91910

Third Party Advisory;VDB Entry
https://github.com/torvalds/linux/commit/b22f5126a24b3b2f15448c3f2a254fc10cbc2b92

Patch;Third Party Advisory
http://www.ubuntu.com/usn/USN-2174-1

Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1029945

Third Party Advisory;VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1077343

Issue Tracking;Third Party Advisory
http://www.securityfocus.com/bid/66279

Third Party Advisory;VDB Entry
http://www.ubuntu.com/usn/USN-2173-1

Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2014/03/17/7

Mailing List;Patch;Third Party Advisory
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b22f5126a24b3b2f15448c3f2a254fc10cbc2b92

Patch;Vendor Advisory
http://twitter.com/grsecurity/statuses/445496197399461888

Broken Link

Products affected by CVE-2014-2523

Linux » Linux Kernel
Versions from including (>=) 3.13.0 and before (<) 3.13.9
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions before (<) 3.2.57
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.3 and before (<) 3.4.86
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.11 and before (<) 3.12.17
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.5 and before (<) 3.10.36
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 10.04
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
Matching versions