CVE-2018-12904 – KVM (Nested Virtualization) - L1 Guest Privilege Escalation
https://notcve.org/view.php?id=CVE-2018-12904
In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL. En arch/x86/kvm/vmx.c en el kernel de Linux en versiones anteriores a la 4.17.2, cuando se emplea la virtualización anidada, los atacantes locales podrían hacer que los invitados L1 KVM realizasen un VMEXIT, permitiendo escalados de privilegios y ataques de denegación de servicio (DoS) debido a la falta de comprobación de CPL. • https://www.exploit-db.com/exploits/44944 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=727ba748e110b4de50d142edca9d6a9b7e6111d8 https://bugs.chromium.org/p/project-zero/issues/detail?id=1589 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.2 https://github.com/torvalds/linux/commit/727ba748e110b4de50d142edca9d6a9b7e6111d8 https://usn.ubuntu.com/3752-1 https://usn.ubuntu.com/3752-2 https://usn.ubuntu.com/3752-3 •
CVE-2018-1000204 – kernel: Infoleak caused by incorrect handling of the SG_IO ioctl
https://notcve.org/view.php?id=CVE-2018-1000204
Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00043.html http://www.openwall.com/lists/oss-security/2018/06/26/3 https://access.redhat.com/errata/RHSA-2018:2948 https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html https://usn.ubuntu.com/3696-1& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-12633
https://notcve.org/view.php?id=CVE-2018-12633
An issue was discovered in the Linux kernel through 4.17.2. vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c reads the same user data twice with copy_from_user. The header part of the user data is double-fetched, and a malicious user thread can tamper with the critical variables (hdr.size_in and hdr.size_out) in the header between the two fetches because of a race condition, leading to severe kernel errors, such as buffer over-accesses. This bug can cause a local denial of service and information leakage. Se ha descubierto un problema en el kernel de Linux hasta la versión 4.17.2. vbg_misc_device_ioctl() en drivers/virt/vboxguest/vboxguest_linux.c lee los mismos datos de usuario dos veces con copy_from_user. La cabecera de los datos de usuario es de tipo double-fetch y un hilo de usuario malicioso puede falsificar las variables críticas (hdr.size_in y hdr.size_out) en la cabecera entre los dos fetch debido a una condición de carrera. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd23a7269834dc7c1f93e83535d16ebc44b75eba https://bugzilla.kernel.org/show_bug.cgi?id=200131 https://github.com/torvalds/linux/commit/bd23a7269834dc7c1f93e83535d16ebc44b75eba • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2016-10723
https://notcve.org/view.php?id=CVE-2016-10723
An issue was discovered in the Linux kernel through 4.17.2. Since the page allocator does not yield CPU resources to the owner of the oom_lock mutex, a local unprivileged user can trivially lock up the system forever by wasting CPU resources from the page allocator (e.g., via concurrent page fault events) when the global OOM killer is invoked. NOTE: the software maintainer has not accepted certain proposed patches, in part because of a viewpoint that "the underlying problem is non-trivial to handle. ** EN DISPUTA ** Se ha descubierto un problema en el kernel de Linux hasta la versión 4.17.2. Debido a que el asignador de páginas no asigna recursos de la CPU al propietario del mutex oom_lock mutex, un usuario local sin privilegios puede bloquear el sistema para siempre malgastando recursos de la CPU del asignador de la página (p.ej., mediante eventos concurrentes de error de página) cuando se invoca al killer OOM global. NOTA: el mantenedor de software no ha aceptado ciertos parches propuestos, en parte debido que, según su punto de vista, "el problema subyacente no es trivial de manejar". • https://patchwork.kernel.org/patch/10395909 https://patchwork.kernel.org/patch/9842889 https://www.spinics.net/lists/linux-mm/msg117896.html • CWE-399: Resource Management Errors •
CVE-2018-5814
https://notcve.org/view.php?id=CVE-2018-5814
In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets. En el kernel de Linux en versiones anteriores a la 4.16.11, 4.14.43, 4.9.102 y 4.4.133, múltiples errores de condición de carrera al gestionar operaciones probe, disconnect y rebind pueden explotarse para desencadenar una condición de uso de memoria previamente liberada o una desreferencia de puntero NULL mediante el envío de múltiples paquetes USB por IP. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00043.html http://www.securitytracker.com/id/1041050 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.43 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.11 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.133 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.102 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=2207 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •