CVE-2013-2547

Description

The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability.

References

Link	Tags
http://www.ubuntu.com/usn/USN-1796-1	vendor advisory
https://github.com/torvalds/linux/commit/9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6
http://www.mandriva.com/security/advisories?name=MDVSA-2013:176	vendor advisory
http://www.ubuntu.com/usn/USN-1797-1	vendor advisory
http://www.openwall.com/lists/oss-security/2013/03/05/13	mailing list
http://www.ubuntu.com/usn/USN-1793-1	vendor advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00129.html	vendor advisory
http://www.ubuntu.com/usn/USN-1794-1	vendor advisory
http://www.ubuntu.com/usn/USN-1795-1	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2013-2547?: CVE-2013-2547 has been scored as a low severity vulnerability.
How to fix CVE-2013-2547?: To fix CVE-2013-2547, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2013-2547 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2013-2547 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-310 – Cryptographic Issues

References

Frequently Asked Questions