CVSS: 6.9EPSS: 0%CPEs: 11EXPL: 3CVE-2014-4699 – Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2014-4699
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. El kernel de Linux anterior a 3.15.4 en los procesadores Intel no restringe debidamente el uso de un valor no canónico para la dirección RIP guardada en el caso de una llamada del sistema que no utilice IRET, lo que permite a usuarios locales aprovechar una condición de carrera y ganar privilegios, o causar una denegación de servicio (fallo doble), a través de una aplicación manipulada que realice llamadas de sistemas ptrace y fork. It was found that the Linux kernel's ptrace subsystem allowed a traced process' instruction pointer to be set to a non-canonical memory address without forcing the non-sysret code path when returning to user space. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. Note: The CVE-2014-4699 issue only affected systems using an Intel CPU. • https://www.exploit-db.com/exploits/34134 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a http://linux.oracle.com/errata/ELSA-2014-0924.html http://linux.oracle.com/errata/ELSA-2014-3047.html http://linux.oracle.com/errata/ELSA-2014-3048.html http://openwall.com/lists/oss-security/2014/07/05/4 http://openwall.com/lists/oss-security/2014/07/08/16 http://openwall.com/lists/oss-security/2014/07/08 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-642: External Control of Critical State Data •
CVSS: 4.6EPSS: 0%CPEs: 3EXPL: 0CVE-2014-4654 – Kernel: ALSA: control: use-after-free in replacing user controls
https://notcve.org/view.php?id=CVE-2014-4654
The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. La función snd_ctl_elem_add en sound/core/control.c de la implementación del control ALSA en el kernel de Linux anterior a 3.15.2 no comprueba la autorización para los comandos SNDRV_CTL_IOCTL_ELEM_REPLACE, lo que permite a usuarios locales eliminar los controles del kernel y provocar una denegación de servicio (usar después de liberar y una caída del sistema) al aprovechar el acceso a /dev/snd/controlICS para una llamada ioctl. A use-after-free flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled user controls. A local, privileged user could use this flaw to crash the system. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=82262a46627bebb0febcc26664746c25cef08563 http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.html http://rhn.redhat.com/errata/RHSA-2014-1083.html http://secunia.com/advisories/59434 http://secunia.com/advisories/59777 http://secunia.com/advisories/60545 http://secunia.com/advisories/60564 http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.2 http://www.openwall.com/lists/o • CWE-416: Use After Free •
CVSS: 5.0EPSS: 0%CPEs: 9EXPL: 0CVE-2014-4656 – Kernel: ALSA: control: integer overflow in id.index & id.numid
https://notcve.org/view.php?id=CVE-2014-4656
Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. Múltiples desbordamientos de enteros en sound/core/control.c de la implementación del control de ALSA en el kernel de Linux anterior a 3.15.2 permite a usuarios locales causar una denegación de servicio mediante el aprovechamiento de acceso /dev/snd/controlCX, relacionado con (1) valores de indice en la función snd_ctl_add y valores (2) numid en la función snd_ctl_remove_numid_conflict. An integer overflow flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled user controls. A local, privileged user could use this flaw to crash the system. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=883a1d49f0d77d30012f114b2e19fc141beb3e8e http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=ac902c112d90a89e59916f751c2745f4dbdbb4bd http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.html http://rhn.redhat.com/errata/RHSA-2014-1083.html http://rhn.redhat.com/errata/RHSA-2015-0087.html http://secunia.com/advisories/59434 http://secunia.com/advisories/59777 http://s • CWE-190: Integer Overflow or Wraparound •
CVSS: 4.6EPSS: 0%CPEs: 3EXPL: 0CVE-2014-4653 – Kernel: ALSA: control: do not access controls outside of protected regions
https://notcve.org/view.php?id=CVE-2014-4653
sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. sound/core/control.c de la implementación del control de ALSA en el kernel de Linux anterior a 3.15.2 no asegura la posesión de un bloqueo de lectura/escritura, lo que permite a usuarios locales provocar una denegación de servicio (uso después de liberación) y obtener información sensible de la memoria del kernel al aprovechar el acceso a /dev/snd/controlICX. A use-after-free flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled user controls. A local, privileged user could use this flaw to crash the system. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=fd9f26e4eca5d08a27d12c0933fceef76ed9663d http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.html http://rhn.redhat.com/errata/RHSA-2014-1083.html http://secunia.com/advisories/59434 http://secunia.com/advisories/59777 http://secunia.com/advisories/60545 http://secunia.com/advisories/60564 http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.2 http://www.openwall.com/lists/o • CWE-416: Use After Free •
CVSS: 5.0EPSS: 4%CPEs: 8EXPL: 0CVE-2014-4667 – kernel: sctp: sk_ack_backlog wrap-around problem
https://notcve.org/view.php?id=CVE-2014-4667
The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. La función sctp_association_free en net/sctp/associola.cen en el kernel de Linux anterior a 3.15.2 no gestiona debidamente cierto valor de backlogs, lo que permite a atacantes remotos causar una denegación de servicio (interrupción del socket) mediante un paquete SCTP manipulado. An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=d3217b15a19a4779c39b212358a5c71d725822ee http://linux.oracle.com/errata/ELSA-2014-3068.html http://linux.oracle.com/errata/ELSA-2014-3069.html http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.html http://secunia.com/advisories/59777 http://secunia&# • CWE-190: Integer Overflow or Wraparound •