CVE-2018-5814
https://notcve.org/view.php?id=CVE-2018-5814
In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets. En el kernel de Linux en versiones anteriores a la 4.16.11, 4.14.43, 4.9.102 y 4.4.133, múltiples errores de condición de carrera al gestionar operaciones probe, disconnect y rebind pueden explotarse para desencadenar una condición de uso de memoria previamente liberada o una desreferencia de puntero NULL mediante el envío de múltiples paquetes USB por IP. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00043.html http://www.securitytracker.com/id/1041050 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.43 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.11 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.133 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.102 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=2207 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2018-12232 – kernel: NULL pointer dereference if close and fchownat system calls share a socket file descriptor
https://notcve.org/view.php?id=CVE-2018-12232
In net/socket.c in the Linux kernel through 4.17.1, there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat does not increment the file descriptor reference count, which allows close to set the socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash. En net/socket.c en el kernel de Linux hasta la versión 4.17.1, hay una condición de carrera entre fchownat y close en los casos en los que apuntan al mismo descriptor de archivo socket. Esto está relacionado con las funciones sock_close y sockfs_setattr. fchownat no incrementa el conteo de referencia del descriptor de archivos, lo que permite que close establezca el socket como NULL durante la ejecución de fchownat lo que conduce a una desreferencia de puntero NULL y a un cierre inesperado del sistema. A NULL pointer dereference issue was found in the Linux kernel. If the close() and fchownat() system calls share a socket file descriptor as an argument, then the two calls can race and trigger a NULL pointer dereference leading to a system crash and a denial of service. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6d8c50dcb029872b298eea68cc6209c866fd3e14 http://www.securityfocus.com/bid/104453 https://access.redhat.com/errata/RHSA-2018:2948 https://github.com/torvalds/linux/commit/6d8c50dcb029872b298eea68cc6209c866fd3e14 https://lkml.org/lkml/2018/6/5/14 https://patchwork.ozlabs.org/patch/926519 https://usn.ubuntu.com/3752-1 https://usn.ubuntu.com/3752-2 https://usn.ubuntu.com/3752-3 https://access.redhat.com/security • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-476: NULL Pointer Dereference •
CVE-2018-11508 – Linux Kernel 4.13 - 'compat_get_timex()' Leak Kernel Pointer
https://notcve.org/view.php?id=CVE-2018-11508
The compat_get_timex function in kernel/compat.c in the Linux kernel before 4.16.9 allows local users to obtain sensitive information from kernel memory via adjtimex. Se ha descubierto un problema en Moodle 3.x. Al sustituir URL en los portfolios, los usuarios pueden instanciar cualquier clase. Esto también puede ser explotado por usuarios que hayan iniciado sesión como invitados para lanzar un ataque DDoS. Linux kernel version 4.13 suffers from a compat_get_timex() kernel pointer leak vulnerability. • https://www.exploit-db.com/exploits/46208 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0a0b98734479aa5b3c671d5190e86273372cab95 http://www.securityfocus.com/bid/104292 https://bugs.chromium.org/p/project-zero/issues/detail?id=1574 https://github.com/torvalds/linux/commit/0a0b98734479aa5b3c671d5190e86273372cab95 https://usn.ubuntu.com/3695-1 https://usn.ubuntu.com/3695-2 https://usn.ubuntu.com/3697-1 https://usn.ubuntu.com/3697-2 https://www.kernel.org • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-1120 – Procps-ng - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-1120
A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks). Se ha encontrado un error que afecta al kernel de Linux en versiones anteriores a la 4.17. Al realizar un mmap() sobre un archivo copiado con FUSE en la memoria de un proceso que contiene argumentos de línea de comandos (o cadenas de entorno), un atacante puede hacer que las utilidades de psutils o procps (como ps o w) o cualquier otro programa que realiza una llamada read() a los archivos /proc//cmdline (o /proc//environ) se bloqueen indefinidamente (denegación de servicio) o durante un tiempo determinado (como primitiva de sincronización para otros ataques). By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks). • https://www.exploit-db.com/exploits/44806 http://seclists.org/oss-sec/2018/q2/122 http://www.securityfocus.com/bid/104229 https://access.redhat.com/errata/RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:3083 https://access.redhat.com/errata/RHSA-2018:3096 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1120 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7f7ccc2ccc2e70c6054685f5e3522efa81556830 https://lists.debian.org/debian-lt • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVE-2017-18270 – kernel: improper keyrings creation
https://notcve.org/view.php?id=CVE-2017-18270
In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service. En el kernel de Linux, en versiones anteriores a la 4.13.5, un usuario local podría crear keyrings para otros usuarios mediante comandos keyctl, estableciendo configuraciones por defecto no deseadas o provocando una denegación de servicio (DoS). A flaw was found in the Linux kernel in the way a local user could create keyrings for other users via keyctl commands. This may allow an attacker to set unwanted defaults, a denial of service, or possibly leak keyring information between users. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=237bbd29f7a049d310d907f4b2716a7feef9abf3 http://www.securityfocus.com/bid/104254 https://bugzilla.redhat.com/show_bug.cgi?id=1580979 https://bugzilla.redhat.com/show_bug.cgi?id=1856774#c11 https://bugzilla.redhat.com/show_bug.cgi?id=1856774#c9 https://github.com/torvalds/linux/commit/237bbd29f7a049d310d907f4b2716a7feef9abf3 https://support.f5.com/csp/article/K37301725 https://usn.ubuntu.com/3754-1 https://www.kernel.org • CWE-287: Improper Authentication •