SB2014111003 - NULL pointer dereference in Linux kernel

Description

This security bulletin contains information about 1 security vulnerability.

1) NULL pointer dereference (CVE-ID: CVE-2014-7207)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in Debian patch to the IPv6 implementation in the Linux kernel 3.2.x through 3.2.63 does not properly validate arguments in ipv6_select_ident function calls, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging (1) tun or (2) macvtap device access. <a href="http://cwe.mitre.org/data/definitions/476. A remote attacker can perform a denial of service (DoS) attack.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://www.debian.org/security/2014/dsa-3060
• http://www.openwall.com/lists/oss-security/2014/11/02/1
• http://www.securityfocus.com/bid/70867
• http://www.ubuntu.com/usn/USN-2417-1
• http://www.ubuntu.com/usn/USN-2418-1
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766195