CVE-2016-4997 – Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2016-4997
The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement. Las implementaciones de compat IPT_SO_SET_REPLACE y IP6T_SO_SET_REPLACE setsockopt en el subsistema netfilter en el kernel de Linux antes de 4.6.3 permiten a los usuarios locales obtener privilegios o provocar una denegación de servicio (corrupción de memoria) aprovechando el acceso del root en el contenedor para proporcionar un valor de compensación manipulado que desencadena una disminución no intencionada. A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. • https://www.exploit-db.com/exploits/40489 https://www.exploit-db.com/exploits/40435 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00061.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html http:/ • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •
CVE-2016-4998 – kernel: out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt
https://notcve.org/view.php?id=CVE-2016-4998
The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary. La implementación de setsockopt IPT_SO_SET_REPLACEIPT_SO_SET_REPLACE en el subsistema de netfilter en el kernel de Linux en versiones anteriores a 4.6 permite a usuarios locales provocar una denegación de servicio (lectura fuera de límites) o posiblemente obtener información sensible de la memoria dinámica del kernel aprovechando el acceso root en el contenedor para proporcionar un valor de desplazamiento manipulado que lleva a cruzar un conjunto de reglas de un límite blob. An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91 http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html http://rhn.redhat.com/errata/RHSA-2016-1847.html http://rhn.redhat.com/errata/RHSA-2016-1875.html http://rhn.redhat.com/errata/RHSA-2016-1883.html http://rhn.redhat.com/errata/RHSA-2017-0036.html http://www.debian.org/securi • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVE-2016-5828 – Kernel: powerpc: tm: crash via exec system call on PPC
https://notcve.org/view.php?id=CVE-2016-5828
The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel through 4.6.3 on powerpc platforms mishandles transactional state, which allows local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction before an exec system call. La función start_thread en arch/powerpc/kernel/process.c en el kernel de Linux hasta la versión 4.6.3 en plataformas powerpc no maneja adecuadamente el estado transaccional, lo que permite a usuarios locales provocar una denegación de servicio (estado de proceso inválido o excepción TM Bad Thing y caída de sistema) o posiblemente tener otro impacto no especificado iniciando y suspendiendo una transacción antes de una llamada de sistema exec. A vulnerability in the handling of Transactional Memory on powerpc systems was found. An unprivileged local user can crash the kernel by starting a transaction, suspending it, and then calling any of the exec() class system calls. • http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html http://rhn.redhat.com/errata/RHSA-2016-2574.html http://www.debian.org/security/2016/dsa-3616 http://www.openwall.com/lists/oss-security/2016/06/25/7 http://www.securityfocus.com/bid/91415 http://www.ubuntu.com/usn/USN-3070-1 http://www.ubuntu.com • CWE-20: Improper Input Validation •
CVE-2016-5244
https://notcve.org/view.php?id=CVE-2016-5244
The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel through 4.6.3 does not initialize a certain structure member, which allows remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message. La función rds_inc_info_copy en net/rds/recv.c en el kernel de Linux hasta la versión 4.6.3 no inicializa un cierto miembro de estructura, lo que permite a atacantes remotos obtener información sensible de la memoria de pila del kernel leyendo un mensaje RDS. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4116def2337991b39919f3b448326e21c40e0dbb http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html http://lists.opensuse.org • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-5829 – kernel: Heap buffer overflow in hiddev driver
https://notcve.org/view.php?id=CVE-2016-5829
Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. Múltiples desbordamientos de buffer basado en memoria dinámica en la función hiddev_ioctl_usage en drivers/hid/usbhid/hiddev.c en el kernel de Linux hasta la versión 4.6.3 permiten a usuarios locales provocar una denegación de servicio o tener posiblemente otro impacto no especificado a través de una llamada (1) HIDIOCGUSAGES o (2) HIDIOCSUSAGES ioctl manipulada. A heap-based buffer overflow vulnerability was found in the Linux kernel's hiddev driver. This flaw could allow a local attacker to corrupt kernel memory, possible privilege escalation or crashing the system. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93a2001bdfd5376c3dc2158653034c20392d15c5 http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00027.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00048.html http://lists.opensuse.org • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •