CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2016-6559 – The BSD libc library's link_ntoa() function may be vulnerable to a classic buffer overflow
https://notcve.org/view.php?id=CVE-2016-6559
Improper bounds checking of the obuf variable in the link_ntoa() function in linkaddr.c of the BSD libc library may allow an attacker to read or write from memory. The full impact and severity depends on the method of exploit and how the library is used by applications. According to analysis by FreeBSD developers, it is very unlikely that applications exist that utilize link_ntoa() in an exploitable manner, and the CERT/CC is not aware of any proof of concept. A blog post describes the functionality of link_ntoa() and points out that none of the base utilities use this function in an exploitable manner. For more information, please see FreeBSD Security Advisory SA-16:37. • http://www.securitytracker.com/id/1037398 https://www.freebsd.org/security/advisories/FreeBSD-SA-16:37.libc.asc https://www.kb.cert.org/vuls/id/548487 https://www.securityfocus.com/bid/94694 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 5.6EPSS: 0%CPEs: 481EXPL: 0CVE-2018-3665 – Kernel: FPU state information leakage via lazy FPU restore
https://notcve.org/view.php?id=CVE-2018-3665
System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. El software de sistema que emplea la técnica de restauración de estado Lazy FP en los sistemas que emplean microprocesadores de Intel Core podrían permitir que un proceso local infiera datos de otro proceso mediante un canal lateral de ejecución especulativa. A Floating Point Unit (FPU) state information leakage flaw was found in the way the Linux kernel saved and restored the FPU state during task switch. Linux kernels that follow the "Lazy FPU Restore" scheme are vulnerable to the FPU state information leakage issue. An unprivileged local attacker could use this flaw to read FPU state bits by conducting targeted cache side-channel attacks, similar to the Meltdown vulnerability disclosed earlier this year. • http://www.securityfocus.com/bid/104460 http://www.securitytracker.com/id/1041124 http://www.securitytracker.com/id/1041125 https://access.redhat.com/errata/RHSA-2018:1852 https://access.redhat.com/errata/RHSA-2018:1944 https://access.redhat.com/errata/RHSA-2018:2164 https://access.redhat.com/errata/RHSA-2018:2165 https://access.redhat.com/errata/RHSA-2019:1170 https://access.redhat.com/errata/RHSA-2019:1190 https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-6920
https://notcve.org/view.php?id=CVE-2018-6920
In FreeBSD before 11.1-STABLE(r332303), 11.1-RELEASE-p10, 10.4-STABLE(r332321), and 10.4-RELEASE-p9, due to insufficient initialization of memory copied to userland in the Linux subsystem and Atheros wireless driver, small amounts of kernel memory may be disclosed to userland processes. Unprivileged authenticated local users may be able to access small amounts of privileged kernel data. En FreeBSD, en versiones anteriores a la 11.1-STABLE(r332303), 11.1-RELEASE-p10, 10.4-STABLE(r332321) y 10.4-RELEASE-p9, debido a la insuficiente inicialización de la memoria copiada en userland en el subsistema de Linux y el controlador inalámbrico de Atheros, pequeñas cantidades de la memoria del kernel pueden divulgarse a los procesos de userland. Los usuarios locales sin privilegios autenticados podrían ser capaces de acceder a pequeñas cantidades de datos privilegiados del kernel. • http://www.securityfocus.com/bid/104114 https://security.FreeBSD.org/advisories/FreeBSD-EN-18:05.mem.asc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6921
https://notcve.org/view.php?id=CVE-2018-6921
In FreeBSD before 11.1-STABLE(r332066) and 11.1-RELEASE-p10, due to insufficient initialization of memory copied to userland in the network subsystem, small amounts of kernel memory may be disclosed to userland processes. Unprivileged authenticated local users may be able to access small amounts of privileged kernel data. En FreeBSD, en versiones anteriores a la 11.1-STABLE(r332066) and 11.1-RELEASE-p10, debido a la insuficiente inicialización de la memoria copiada en userland en el subsistema de Linux, pequeñas cantidades de la memoria del kernel pueden divulgarse a los procesos de userland. Los usuarios locales sin privilegios autenticados podrían ser capaces de acceder a pequeñas cantidades de datos privilegiados del kernel. • http://www.securityfocus.com/bid/104118 https://security.FreeBSD.org/advisories/FreeBSD-EN-18:05.mem.asc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 24EXPL: 4CVE-2018-8897 – Microsoft Windows - 'POP/MOV SS' Privilege Escalation
https://notcve.org/view.php?id=CVE-2018-8897
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. • https://www.exploit-db.com/exploits/44697 https://www.exploit-db.com/exploits/45024 https://github.com/can1357/CVE-2018-8897 https://github.com/nmulasmajic/CVE-2018-8897 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 http://openwall.com/lists/oss-security/2018/05/08/1 http://openwall.com/lists/oss-security/2018/05/08/4 http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190921-01-debug-en http: • CWE-250: Execution with Unnecessary Privileges CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •