CVE-2017-1000251 – Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC)
https://notcve.org/view.php?id=CVE-2017-1000251
The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space. La pila Bluetooth nativa en el Kernel Linux (BlueZ), comenzando por la versión 2.6.32 del kernel de Linux y hasta, e incluyendo, la versión 4.13.1, es vulnerable a un desbordamiento de pila durante el procesado de las respuestas de configuración L2CAP, lo que desemboca en la ejecución remota de código en el espacio del kernel. A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. • https://www.exploit-db.com/exploits/42762 https://github.com/hayzamjs/Blueborne-CVE-2017-1000251 https://github.com/own2pwn/blueborne-CVE-2017-1000251-POC https://github.com/sgxgsx/blueborne-CVE-2017-1000251 https://github.com/tlatkdgus1/blueborne-CVE-2017-1000251 http://nvidia.custhelp.com/app/answers/detail/a_id/4561 http://www.debian.org/security/2017/dsa-3981 http://www.securityfocus.com/bid/100809 http://www.securitytracker.com/id/1039373 https://access.redhat.com/errata& • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2017-14156
https://notcve.org/view.php?id=CVE-2017-14156
The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in the Linux kernel through 4.12.10 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading locations associated with padding bytes. La función atyfb_ioctl en drivers/video/fbdev/aty/atyfb_base.c en las versiones de Linux kernel hasta la 4.12.10 no inicializa una estructura de datos específica. Esto permite a los usuarios locales obtener información sensible de la memoria de pila del kernel leyendo ubicaciones relacionadas con bytes de relleno. • http://www.debian.org/security/2017/dsa-3981 http://www.securityfocus.com/bid/100634 https://github.com/torvalds/linux/pull/441 https://marc.info/?l=linux-kernel&m=150401461613306&w=2 https://marc.info/?l=linux-kernel&m=150453196710422&w=2 https://usn.ubuntu.com/3583-1 https://usn.ubuntu.com/3583-2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-14140 – kernel: Missing permission check in move_pages system call
https://notcve.org/view.php?id=CVE-2017-14140
The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR. La llamada al sistema move_pages en mm/migrate.c en versiones anteriores a la 4.12.9 del kernel Linux no verifica correctamente el id de usuario del proceso objetivo. Esto permite que un atacante local aprenda la distribución de la memoria de un ejecutable setuid a pesar de la ASLR. The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process. This enables a local attacker to learn the memory layout of a setuid executable allowing mitigation of ASLR. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=197e7e521384a23b9e585178f3f11c9fa08274b9 http://www.debian.org/security/2017/dsa-3981 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.9 http://www.securityfocus.com/bid/100876 https://access.redhat.com/errata/RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:1062 https://github.com/torvalds/linux/commit/197e7e521384a23b9e585178f3f11c9fa08274b9 https://source.android.com/security/bulletin/pixel/2018-01& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVE-2017-14106 – kernel: Divide-by-zero in __tcp_select_window
https://notcve.org/view.php?id=CVE-2017-14106
The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. La función tcp_disconnect en net/ipv4/tcp.c en el kernel de Linux en versiones anteriores a la 4.12 permite que usuarios locales provoquen una denegación de servicio allows local users to cause a denial of service (error __tcp_select_window de división por cero y bloqueo del sistema) desencadenando una desconexión en una ruta de código tcp_recvmsg determinada. A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=499350a5a6e7512d9ed369ed63a4244b6536f4f8 http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html http://www.debian.org/security/2017/dsa-3981 http://www.securityfocus.com/bid/100878 http://www.securitytracker.com/id/1039549 https://access.redhat.com/errata/RHSA-2017:2918 https://access.redhat.com/errata/RHSA-2017:2930 https://access.redhat.com/errata/RHSA-2017:2931 https://access.redhat.com/er • CWE-369: Divide By Zero •
CVE-2017-14051
https://notcve.org/view.php?id=CVE-2017-14051
An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access. Un desbordamiento de enteros en la función qla2x00_sysfs_write_optrom_ctl en drivers/scsi/qla2xxx/qla_attr.c en el kernel de Linux hasta la versión 4.12.10 permite que los usuarios locales provoquen una denegación de servicio (corrupción de memoria y fallo de sistema) con acceso root. • http://www.securityfocus.com/bid/100571 https://bugzilla.kernel.org/show_bug.cgi?id=194061 https://lists.debian.org/debian-lts-announce/2017/12/msg00004.html https://patchwork.kernel.org/patch/9929625 https://usn.ubuntu.com/3583-1 https://usn.ubuntu.com/3583-2 • CWE-190: Integer Overflow or Wraparound •