CVE-2011-1022

critical

Description

The cgre_receive_netlink_msg function in daemon/cgrulesengd.c in cgrulesengd in the Control Group Configuration Library (aka libcgroup or libcg) before 0.37.1 does not verify that netlink messages originated in the kernel, which allows local users to bypass intended resource restrictions via a crafted message.

References

https://bugzilla.redhat.com/show_bug.cgi?id=680409

http://www.vupen.com/english/advisories/2011/0774

http://www.vupen.com/english/advisories/2011/0679

http://www.securitytracker.com/id?1025157

http://www.securityfocus.com/bid/46578

http://www.redhat.com/support/errata/RHSA-2011-0320.html

http://www.debian.org/security/2011/dsa-2193

http://sourceforge.net/projects/libcg/files/libcgroup/v0.37.1/libcgroup-0.37.1.tar.bz2/download

http://sourceforge.net/mailarchive/message.php?msg_id=27102603

http://sourceforge.net/mailarchive/message.php?msg_id=26598749

http://secunia.com/advisories/44093

http://secunia.com/advisories/43891

http://secunia.com/advisories/43758

http://secunia.com/advisories/43611

http://openwall.com/lists/oss-security/2011/02/25/9

http://openwall.com/lists/oss-security/2011/02/25/6

http://openwall.com/lists/oss-security/2011/02/25/14

http://openwall.com/lists/oss-security/2011/02/25/12

http://openwall.com/lists/oss-security/2011/02/25/11

http://lists.opensuse.org/opensuse-updates/2011-04/msg00027.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056734.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056683.html

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=615987

Details

Source: Mitre, NVD

Published: 2011-03-22

Updated: 2011-09-07

Risk Information

CVSS v2

Base Score: 2.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical