CVE-2020-10751

medium

Description

A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.

References

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.openwall.com/lists/oss-security/2020/04/30/5

https://www.debian.org/security/2020/dsa-4699

https://www.debian.org/security/2020/dsa-4698

https://usn.ubuntu.com/4413-1/

https://usn.ubuntu.com/4412-1/

https://usn.ubuntu.com/4391-1/

https://usn.ubuntu.com/4390-1/

https://usn.ubuntu.com/4389-1/

https://lore.kernel.org/selinux/CACT4Y+b8HiV6KFuAPysZD=5hmyO4QisgxCKi4DHU3CfMPSP=yg%40mail.gmail.com/

https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html

https://lists.debian.org/debian-lts-announce/2020/06/msg00012.html

https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb73974172ffaaf57a7c42f35424d9aece1a5af6

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10751

http://www.openwall.com/lists/oss-security/2020/05/27/3

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00008.html

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00022.html

Details

Source: Mitre, NVD

Published: 2020-05-26

Updated: 2023-02-12

Risk Information

CVSS v2

Base Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N

Severity: Low

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Severity: Medium