CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 1CVE-2015-7613 – kernel: Unauthorized access to IPC objects with SysV shm
https://notcve.org/view.php?id=CVE-2015-7613
Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. Condición de carrera en la implementación del objeto IPC en el kernel de Linux hasta la versión 4.2.3 permite a usuarios locales obtener privilegios desencadenando una llamada a ipc_addid que conduce a comparaciones de uid y gid contra datos no inicializados, relacionada con msg.c, shm.c y util.c. A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9a532277938798b53178d5a66af6e2915cb27cf http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00026.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00027.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00029.html http://lists.opensuse.org • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2925 – Kernel: vfs: Do not allow escaping from bind mounts
https://notcve.org/view.php?id=CVE-2015-2925
The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack." La función prepend_path en fs/dcache.c en el kernel Linux en versiones anteriores a 4.2.4 no maneja adecuadamente el cambio de nombre de las acciones dentro de un enlace de montaje, lo que permite a usuarios locales eludir un mecanismo de protección destinado al contenedor mediante el cambio de nombre de un directorio, relacionado con un 'double-chroot attack'. A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=397d425dc26da728396e66d392d5dcb8dac30c37 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cde93be45a8a90d8c264c776fab63487b5038a65 http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00018.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00009 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-254: 7PK - Security Features •
CVSS: 4.9EPSS: 0%CPEs: 5EXPL: 0CVE-2015-6937
https://notcve.org/view.php?id=CVE-2015-6937
The __rds_conn_create function in net/rds/connection.c in the Linux kernel through 4.2.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound. La función __rds_conn_create en net/rds/connection.c en el kernel de Linux hasta la versión 4.2.3 permite a usuarios locales provocar una denegación de servicio (referencia a puntero NULL y caída del sistema) o posiblemente tener otro impacto no especificado mediante el uso de un socket que no estaba vinculado adecuadamente. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=74e98eb085889b0d2d4908f59f6e00026063014f http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168447.html http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168539.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167358.html http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00035.html http:/&#x •
CVSS: 3.3EPSS: 0%CPEs: 5EXPL: 0CVE-2015-2877
https://notcve.org/view.php?id=CVE-2015-2877
Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack. NOTE: the vendor states "Basically if you care about this attack vector, disable deduplication." Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities ** DISPUTADA ** Kernel Samepage Merging (KSM) en el kernel de Linux 2.6.32 hasta la versión 4.x no previene el uso de un canal lateral de sincronización de escritura, lo que permite a usuarios invitados del SO derrotar el mecanismo de protección de ASLR en otras instancias invitadas del SO a través de un ataque Cross-VM ASL INtrospection (CAIN). NOTA: el vendedor afirma "Básicamente si te preocupa este vector de ataque, inhabilita la deduplicación". Enfoques de compartir hasta escritura para conservación de memoria entre inquilinos mutuamente desconfiados son inherentemente detectables para divulgación de información y pueden clasificarse como comportamientos potencialmente malinterpretados en lugar de vulnerabilidades. • http://www.antoniobarresi.com/files/cain_advisory.txt http://www.kb.cert.org/vuls/id/935424 http://www.securityfocus.com/bid/76256 https://bugzilla.redhat.com/show_bug.cgi?id=1252096 https://www.kb.cert.org/vuls/id/BGAR-A2CNKG https://www.kb.cert.org/vuls/id/BLUU-9ZAHZH https://www.usenix.org/system/files/conference/woot15/woot15-paper-barresi.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.5EPSS: 2%CPEs: 4EXPL: 1CVE-2015-4004
https://notcve.org/view.php?id=CVE-2015-4004
The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet. El controlador OZWPAN en el kernel de Linux hasta 4.0.5 depende de un campo de longitud no confiable durante el análisis sintáctico de paquetes, lo que permite a atacantes remotos obtener información sensible de la memoria del kernel o causar una denegación de servicio (lectura fuera de rango y caída de sistema) a través de un paquete manipulado. • http://openwall.com/lists/oss-security/2015/06/05/7 http://www.securityfocus.com/bid/74669 http://www.ubuntu.com/usn/USN-2989-1 http://www.ubuntu.com/usn/USN-2998-1 http://www.ubuntu.com/usn/USN-3000-1 http://www.ubuntu.com/usn/USN-3001-1 http://www.ubuntu.com/usn/USN-3002-1 http://www.ubuntu.com/usn/USN-3003-1 http://www.ubuntu.com/usn/USN-3004-1 https://lkml.org/lkml/2015/5/13/739 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •