In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
Mend Note: After conducting further research, Mend has determined that CVE-2020-25211 only affects environments with versions v2.6.11-tree--v4.4.238, v4.5-rc1--v4.9.238, v4.10-rc1--v4.14.200, v4.15-rc1--v4.19.149, v5.0-rc1--v5.4.69, v5.5-rc1--v5.8.12 and v5.9-rc1--v5.9-rc6 of Linux Kernel.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
CVE-2020-25211 - Medium Severity Vulnerability
Vulnerable Library - linuxlinux-4.19.236
The Linux Kernel
Library home page: https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/?wsslib=linux
Found in HEAD commit: 03cb3c6f0e0b62b5cbcd747df63781fbb2a6ef66
Found in base branch: master
Vulnerable Source Files (1)
/net/netfilter/nf_conntrack_netlink.c
Vulnerability Details
In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff. Mend Note: After conducting further research, Mend has determined that CVE-2020-25211 only affects environments with versions v2.6.11-tree--v4.4.238, v4.5-rc1--v4.9.238, v4.10-rc1--v4.14.200, v4.15-rc1--v4.19.149, v5.0-rc1--v5.4.69, v5.5-rc1--v5.8.12 and v5.9-rc1--v5.9-rc6 of Linux Kernel.
Publish Date: 2020-09-09
URL: CVE-2020-25211
CVSS 3 Score Details (6.0)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-09-09
Fix Resolution: v4.4.239,v4.9.239,v4.14.201,v4.19.150,v5.4.70,v5.8.13,v5.9-rc7
Step up your Open Source Security Game with Mend here