Page 441 of 3174 results (0.033 seconds)

CVSS: 2.1EPSS: 0%CPEs: 434EXPL: 0

arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value. arch/x86/kernel/tls.c en la implementación Thread Local Storage (TLS) en el kernel de Linux hasta 3.18.1 permite a usuarios locales evadir el mecanismo de protección espfix, y como consecuencia facilita a usuarios locales evadir el mecanismo de protección ASLR, a través de una aplicación manipulada que hace una llamada del sistema set_thread_area y posteriormente lee un valor de 16 bits. It was found that the espfix functionality could be bypassed by installing a 16-bit RW data segment into GDT instead of LDT (which espfix checks), and using that segment on the stack. A local, unprivileged user could potentially use this flaw to leak kernel stack addresses. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=41bdc78544b8a93a9c6814b8bbbfef966272abbe http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html http://rhn.redhat.com/errata/RHSA-2015-1272.html http://secunia.com/advisories/62801 http://www.debian.org/security/2015/dsa-3128 http://www.mandriva.com/security/advisories?name=MDVSA-2015:058 http://www.openwall.com/lists& • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 8.4EPSS: 0%CPEs: 13EXPL: 4

arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space. arch/x86/kernel/entry_64.S en el kernel de Linux anterior a 3.17.5 no maneja correctamente los fallos asociados con el registro de segmento Stack Segment (SS), lo que permite a usuarios locales ganar privilegios mediante la provocación de una instrucción IRET que lleva al acceso a una dirección de GS Base del espacio equivocado. A flaw was found in the way the Linux kernel handled GS segment register base switching when recovering from a #SS (stack segment) fault on an erroneous return to user space. A local, unprivileged user could use this flaw to escalate their privileges on the system. • https://www.exploit-db.com/exploits/44205 https://www.exploit-db.com/exploits/36266 https://github.com/RKX1209/CVE-2014-9322 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=6f442be2fb22be02cafa606f1769fa1e6f894441 http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.html http://marc.info/?l= • CWE-269: Improper Privilege Management CWE-841: Improper Enforcement of Behavioral Workflow •

CVSS: 3.3EPSS: 0%CPEs: 8EXPL: 1

The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value. La función paravirt_ops_setup en arch/x86/kernel/kvm.c en el kernel de Linux hasta 3.18 utiliza una configuración paravirt_enabled indebida para los kernels KVM invitados, lo que facilita a usuarios invitados del sistema operativo evadir el mecanismo de protección ASLR a través de una aplicación manipulada que lee un valor de 16 bits. It was found that the espfix functionality does not work for 32-bit KVM paravirtualized guests. A local, unprivileged guest user could potentially use this flaw to leak kernel stack addresses. • http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8134.html http://rhn.redhat.com/errata/RHSA-2016-0855.html http://secunia.com/advisories/62336 http://www.oracle.com/technetwork/t •

CVSS: 7.1EPSS: 56%CPEs: 204EXPL: 1

The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk. La función sctp_process_param en net/sctp/sm_make_chunk.c en la implementación SCTP en el kernel de Linux anterior a 3.17.4, cuando ASCONF está utilizado, permite a atacantes remotos causar una denegación de servicio (referencia a puntero nulo y caída del sistema) a través de un chunk INIT malformado. A flaw was found in the way the Linux kernel's SCTP implementation validated INIT chunks when performing Address Configuration Change (ASCONF). A remote attacker could use this flaw to crash the system by sending a specially crafted SCTP packet to trigger a NULL pointer dereference on the system. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e40607cbe270a9e8360907cb1e62ddf0736e4864 http://linux.oracle.com/errata/ELSA-2015-3004.html http://linux.oracle.com/errata/ELSA-2015-3005.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015& • CWE-399: Resource Management Errors CWE-476: NULL Pointer Dereference •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0

Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure report, a similar issue to CVE-2014-7842. Condición de carrera en arch/x86/kvm/x86.c en el kernel de Linux anterior a 2.6.38 permite a usuarios del sistema operativo L2 invitado causar una denegación de servicio (caída del sistema operativo L1 invitado) a través de una instrucción manipulada que provoca un informe de fallo de emulación en L2, un problema similar a CVE-2014-7842. It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. Please note that on certain systems, HPET is mapped to userspace as part of vdso (vvar) and thus an unprivileged user may generate MMIO transactions (and enter the emulator) this way. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=fc3a9157d3148ab91039c75423da8ef97be3e105 http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00000.html http://mirror.linux.org.au/linux/kernel/v2.6/ChangeLog-2.6.38 http://rhn.redhat.com/errata/RHSA-2016-0855.html http://www.openwall.com/lists/oss-security/2014/11/13/7 http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.oracle.com/technetwork/topics/sec • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •