The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Linux kernel: unreachable memory reading via x509_decode_time

Synthesis of the vulnerability 

An attacker can force a read at an invalid address in the x509_decode_time() function of the Linux kernel, in order to trigger a denial of service.
Impacted software: Linux.
Severity of this computer vulnerability: 1/4.
Creation date: 27/11/2015.
Références of this announce: CVE-2015-5327, VIGILANCE-VUL-18388.

Description of the vulnerability 

The Linux kernel implements cryptographic features.

The x509_decode_time() function of the crypto/asymmetric_keys/x509_cert_parser.c file decodes times indicated in an X.509 certificate. However, if the month number is too large, this function tries to read an unreachable memory area, which triggers a fatal error.

An attacker can therefore force a read at an invalid address in the x509_decode_time() function of the Linux kernel, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity weakness impacts software or systems such as Linux.

Our Vigil@nce team determined that the severity of this security vulnerability is low.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a specialist ability can exploit this vulnerability bulletin.

Solutions for this threat 

Linux kernel: version 4.3.2.
The version 4.3.2 is fixed:
  https://cdn.kernel.org/pub/linux/kernel/v4.x/

Linux kernel: patch for x509_decode_time.
A patch is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a systems vulnerabilities database. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.