CVE-2017-1000410 – kernel: Stack information leak in the EFS element
https://notcve.org/view.php?id=CVE-2017-1000410
The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations. • http://seclists.org/oss-sec/2017/q4/357 http://www.securityfocus.com/bid/102101 https://access.redhat.com/errata/RHSA-2018:0654 https://access.redhat.com/errata/RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1130 https://access.redhat.com/errata/RHSA-2018:1170 https://access.redhat.com/errata/RHSA-2018:1319 https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-17449 – kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity
https://notcve.org/view.php?id=CVE-2017-17449
The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system. La función __netlink_deliver_tap_skb en net/netlink/af_netlink.c en el kernel de Linux hasta la versión 4.14.4, cuando CONFIG_NLMON está habilitado, no restringe las observaciones de mensajes Netlink a un espacio de nombres de red único, lo que permite que usuarios locales obtengan información sensible utilizando la capacidad CAP_NET_ADMIN para rastrear una interfaz nlmon para toda la actividad Netlink en el sistema. The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel, through 4.14.4, does not restrict observations of Netlink messages to a single net namespace, when CONFIG_NLMON is enabled. This allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system. • http://www.securityfocus.com/bid/102122 https://access.redhat.com/errata/RHSA-2018:0654 https://access.redhat.com/errata/RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1130 https://access.redhat.com/errata/RHSA-2018:1170 https://lkml.org/lkml/2017/12/5/950 https://source.android.com/security/bulletin/pixel/2018-04-01 https://usn.ubuntu.com/3619-1 https://usn.ubuntu.com/3619-2 https://usn.ubunt • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •
CVE-2017-8824 – Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free
https://notcve.org/view.php?id=CVE-2017-8824
The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state. La función dccp_disconnect en net/dccp/proto.c en el kernel de Linux hasta la versión 4.14.3 permite que usuarios locales obtengan privilegios o provoquen una denegación de servicio (uso de memoria previamente liberada) mediante una llamada del sistema de conexión AF_UNSPEC durante el estado DCCP_LISTEN. A use-after-free vulnerability was found in DCCP socket code affecting the Linux kernel since 2.6.16. This vulnerability could allow an attacker to their escalate privileges. The Linux kernel suffers from a DCCP socket use-after-free vulnerability. • https://www.exploit-db.com/exploits/43234 http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html http://lists.openwall.net/netdev/2017/12/04/224 http://www.openwall.com/lists/oss-security/2017/12/05/1 http://www.securityfocus.com/bid/102056 https://access.redhat.com/errata/RHSA-2018:0399 https://access.redhat.com/errata/RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1130 https://acces • CWE-416: Use After Free •
CVE-2017-1000405 – Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page
https://notcve.org/view.php?id=CVE-2017-1000405
The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. • https://www.exploit-db.com/exploits/44305 https://www.exploit-db.com/exploits/43199 http://www.securityfocus.com/bid/102032 http://www.securitytracker.com/id/1040020 https://access.redhat.com/errata/RHSA-2018:0180 https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0 https://source.android.com/security/bulletin/pixel/2018-02-01 https://access.redhat.com/security/cve/CVE-2017-1000405 https://bugzilla.redhat.com/show_bug.cgi?id=1516514 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2017-17052
https://notcve.org/view.php?id=CVE-2017-17052
The mm_init function in kernel/fork.c in the Linux kernel before 4.12.10 does not clear the ->exe_file member of a new process's mm_struct, allowing a local attacker to achieve a use-after-free or possibly have unspecified other impact by running a specially crafted program. La función mm_init en kernel/fork.c en el kernel de Linux en versiones anteriores a la 4.12.10 no elimina el miembro ->exe_file del mm_struct de un nuevo proceso. Esto permite que un atacante local logre un uso de memoria previamente liberada o que, posiblemente, tenga otro impacto sin especificar ejecutando un programa especialmente manipulado. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2b7e8665b4ff51c034c55df3cff76518d1a9ee3a http://www.securityfocus.com/bid/102009 https://github.com/torvalds/linux/commit/2b7e8665b4ff51c034c55df3cff76518d1a9ee3a https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.10 • CWE-416: Use After Free •