CVE-2020-28374 – kernel: SCSI target (LIO) write to any block on ILO backstore
https://notcve.org/view.php?id=CVE-2020-28374
In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore. En el archivo drivers/target/target_core_xcopy.c en el kernel de Linux versiones anteriores a 5.10.7, unos atacantes remotos pueden usar una comprobación del identificador insuficiente en el código de destino LIO SCSI para leer o escribir archivos por medio de un salto de directorio en una petición XCOPY, también se conoce como CID-2896c93811e3. Por ejemplo, un ataque puede ocurrir en una red si el atacante presenta acceso a un iSCSI LUN. • http://packetstormsecurity.com/files/161229/Kernel-Live-Patch-Security-Notice-LSN-0074-1.html http://www.openwall.com/lists/oss-security/2021/01/13/2 http://www.openwall.com/lists/oss-security/2021/01/13/5 https://bugzilla.suse.com/attachment.cgi?id=844938 https://bugzilla.suse.com/show_bug.cgi?id=1178372 https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.7 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2896c93811e39d63a4d9b63ccf12a8fbc226 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-25668
https://notcve.org/view.php?id=CVE-2020-25668
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op. Se encontró un fallo en el Kernel de Linux porque el acceso a la variable global fg_console no está correctamente sincronizado, conllevando a un uso de la memoria previamente liberada en la función con_font_op • http://www.openwall.com/lists/oss-security/2020/10/30/1 http://www.openwall.com/lists/oss-security/2020/11/04/3 https://bugzilla.redhat.com/show_bug.cgi?id=1893287%2C https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=90bfdeef83f1d6c696039b6a917190dcbbad3220 https://lists.debian.org/debian-lts-announce/2020/12/msg00015.html https://lists.debian.org/debian-lts-announce/2020/12/msg00027.html https://security.netapp.com/advisory/ntap-20210702-0005 https:/ • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-662: Improper Synchronization •
CVE-2020-27777 – kernel: powerpc: RTAS calls can be used to compromise kernel integrity
https://notcve.org/view.php?id=CVE-2020-27777
A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel. Se encontró un fallo en la manera en que RTAS manejaba los accesos a la memoria en el espacio de usuario para la comunicación del kernel. En un sistema invitado bloqueado (generalmente debido al arranque seguro) que se ejecuta en la parte superior de los hipervisores PowerVM o KVM (plataforma pseries), un usuario root como local podría usar este fallo para aumentar aún más sus privilegios a los de un kernel en ejecución A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel. • https://bugzilla.redhat.com/show_bug.cgi?id=1900844 https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?h=next&id=bd59380c5ba4147dcbaad3e582b55ccfd120b764 https://www.openwall.com/lists/oss-security/2020/10/09/1 https://www.openwall.com/lists/oss-security/2020/11/23/2 https://access.redhat.com/security/cve/CVE-2020-27777 • CWE-862: Missing Authorization •
CVE-2020-27786 – kernel: use-after-free in kernel midi subsystem
https://notcve.org/view.php?id=CVE-2020-27786
A flaw was found in the Linux kernel’s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Se encontró un fallo en la implementación de MIDI en el kernel de Linux, donde un atacante con una cuenta local y los permisos para emitir comandos ioctl a dispositivos midi podría desencadenar un problema de uso después de la liberación. Una escritura en esta memoria específica mientras está liberada y antes de su uso hace que el flujo de ejecución cambie y posiblemente permita la corrupción de memoria o la escalada de privilegios. • https://github.com/kiks7/CVE-2020-27786-Kernel-Exploit https://github.com/elbiazo/CVE-2020-27786 https://github.com/ii4gsp/CVE-2020-27786 http://www.openwall.com/lists/oss-security/2020/12/03/1 https://bugzilla.redhat.com/show_bug.cgi?id=1900933 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d https://security.netapp.com/advisory/ntap-20210122-0002 https://access.redhat.com/security/cve/CVE-2020-27786 • CWE-416: Use After Free •
CVE-2020-29660 – kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-after-free
https://notcve.org/view.php?id=CVE-2020-29660
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. Se detectó un problema de inconsistencia de bloqueo en el subsistema tty del kernel de Linux versiones hasta 5.9.13. Los archivos drivers/tty/tty_io.c y drivers/tty/tty_jobctrl.c pueden permitir un ataque de lectura de la memoria previamente liberada contra TIOCGSID, también se conoce como CID-c8bcd9c5be24 A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel. A local user could use this flaw to read numerical value from memory after free. • http://packetstormsecurity.com/files/164950/Kernel-Live-Patch-Security-Notice-LSN-0082-1.html http://www.openwall.com/lists/oss-security/2020/12/10/1 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9 https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BOB25SU6X • CWE-416: Use After Free CWE-667: Improper Locking •