CVE-2022-25375 - OpenCVE

An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Linux	Linux Kernel

Configuration 1 [-]

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/02/21/1
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10
https://github.com/szymonh/rndis-co
https://github.com/torvalds/linux/commit/38ea1eac7d88072bbffb630e2b3db83ca649b826
https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html
https://nvd.nist.gov/vuln/detail/CVE-2022-25375
https://www.cve.org/CVERecord?id=CVE-2022-25375
https://www.debian.org/security/2022/dsa-5092
https://www.debian.org/security/2022/dsa-5096

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-02-20T19:47:01

Updated: 2024-08-03T04:36:06.951Z

Reserved: 2022-02-20T00:00:00

Link: CVE-2022-25375

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-20T20:15:18.117

Modified: 2023-08-08T14:22:24.967

Link: CVE-2022-25375

Redhat

Severity : Moderate

Publid Date: 2022-02-11T00:00:00Z

Links: CVE-2022-25375 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-10T02:06:39", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/torvalds/linux/commit/38ea1eac7d88072bbffb630e2b3db83ca649b826"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/szymonh/rndis-co"}, {"name": "[oss-security] 20220221 CVE-2022-25375 : Linux RNDIS USB Gadget memory extraction via packet filter", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/02/21/1"}, {"name": "DSA-5092", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5092"}, {"name": "[debian-lts-announce] 20220309 [SECURITY] [DLA 2940-1] linux security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html"}, {"name": "[debian-lts-announce] 20220309 [SECURITY] [DLA 2941-1] linux-4.19 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html"}, {"name": "DSA-5096", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5096"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-25375", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10", "refsource": "MISC", "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10"}, {"name": "https://github.com/torvalds/linux/commit/38ea1eac7d88072bbffb630e2b3db83ca649b826", "refsource": "MISC", "url": "https://github.com/torvalds/linux/commit/38ea1eac7d88072bbffb630e2b3db83ca649b826"}, {"name": "https://github.com/szymonh/rndis-co", "refsource": "MISC", "url": "https://github.com/szymonh/rndis-co"}, {"name": "[oss-security] 20220221 CVE-2022-25375 : Linux RNDIS USB Gadget memory extraction via packet filter", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/02/21/1"}, {"name": "DSA-5092", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5092"}, {"name": "[debian-lts-announce] 20220309 [SECURITY] [DLA 2940-1] linux security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html"}, {"name": "[debian-lts-announce] 20220309 [SECURITY] [DLA 2941-1] linux-4.19 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html"}, {"name": "DSA-5096", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5096"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:36:06.951Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/torvalds/linux/commit/38ea1eac7d88072bbffb630e2b3db83ca649b826"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/szymonh/rndis-co"}, {"name": "[oss-security] 20220221 CVE-2022-25375 : Linux RNDIS USB Gadget memory extraction via packet filter", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/02/21/1"}, {"name": "DSA-5092", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5092"}, {"name": "[debian-lts-announce] 20220309 [SECURITY] [DLA 2940-1] linux security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html"}, {"name": "[debian-lts-announce] 20220309 [SECURITY] [DLA 2941-1] linux-4.19 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html"}, {"name": "DSA-5096", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5096"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-25375", "datePublished": "2022-02-20T19:47:01", "dateReserved": "2022-02-20T00:00:00", "dateUpdated": "2024-08-03T04:36:06.951Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6FADC79F-20B6-4353-B8FF-03CDC52EFBE4", "versionEndExcluding": "5.16.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory."}, {"lang": "es", "value": "Se ha detectado un problema en el archivo drivers/usb/gadget/function/rndis.c en el kernel de Linux versiones anteriores a 5.16.10. El gadget USB RNDIS no comprueba el tama\u00f1o del comando RNDIS_MSG_SET. Los atacantes pueden obtener informaci\u00f3n confidencial de la memoria del kernel"}], "id": "CVE-2022-25375", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-20T20:15:18.117", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/02/21/1"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/szymonh/rndis-co"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/torvalds/linux/commit/38ea1eac7d88072bbffb630e2b3db83ca649b826"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5092"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5096"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: information disclosure in drivers/usb/gadget/function/rndis.c", "id": "2059923", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2059923"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-668->CWE-552", "details": ["An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.", "An information disclosure vulnerability was found in the Linux kernel. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. This flaw allows a local attacker to dump contents of kernel memory space via a packet filter update mechanism and potentially extract sensitive information."], "name": "CVE-2022-25375", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-02-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-25375\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25375"], "statement": "Red Hat Enterprise Linux is not affected by this flaw as CONFIG_USB_GADGET is not enabled in any current shipping kernels.", "threat_severity": "Moderate", "upstream_fix": "kernel 5.17-rc4"}