CVE-2013-6282
Published: 20 November 2013
Summary
CVE-2013-6282 is a high-severity Improper Input Validation (CWE-20) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is an instance of improper input validation (CWE-20) in the get_user and put_user API functions of the Linux kernel prior to version 3.5.5 when running on ARM v6k and v7 platforms. These functions do not validate certain addresses, allowing access to arbitrary kernel memory locations.
Local attackers who can execute a crafted application on an affected system can leverage the flaw to read from or write to arbitrary kernel memory. The issue carried a CVSS 3.1 score of 8.8 and was observed being exploited in the wild against Android devices during October and November 2013.
Advisories and the kernel changelog reference a fix that landed in version 3.5.5, with the corresponding commit (8404663f81d212918ff85f493649a7991209fa04) restoring proper address validation for the affected API functions on the impacted ARM platforms. Code Aurora and other downstream distributions published corresponding security notices pointing to the same upstream change.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-6110
Vulnerability details
The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations…
more
via a crafted application, as exploited in the wild against Android devices in October and November 2013.
- CWE(s)
- KEV Date Added
- 15 September 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of addresses passed to get_user/put_user, preventing the arbitrary kernel-memory read/write that the CVE exploits.
Enforces that only explicitly authorized subjects may access kernel memory locations, blocking the unauthorized reads/writes enabled by the missing address checks.
Provides hardware or software memory-protection mechanisms that can limit the impact of invalid kernel-memory accesses attempted via the flawed APIs.