CVE-2015-0239 – kernel: kvm: insufficient sysenter emulation when invoked from 16-bit code
https://notcve.org/view.php?id=CVE-2015-0239
The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER instruction. La función em_sysenter en arch/x86/kvm/emulate.c en el kernel de Linux anterior a 3.18.5, cuando al sistema operativo invitado le falta la inicialización SYSENTER MSR, permite a usuarios del sistema operativo invitado ganar privilegios del sistema operativo invitado o causar una denegación de servicio (caída del sistema operativo invitado) mediante la provocación del uso de un segmento de código de 16 bits para la emulación de una instrucción SYSENTER. It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Red Hat Enterprise Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=f3747379accba8e95d70cec0eae0582c8c182050 http://permalink.gmane.org/gmane.linux.kernel.commits.head/502245 http://rhn.redhat.com/errata/RHSA-2015-1272.html http://www.debian.org/security/2015/dsa-3170 http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.5 http://www.mandriva.com/security/advisories?name=MDVSA-2015:058 http://www.openwall.com/lists/oss-security/2015/01/27/6 http://www • CWE-269: Improper Privilege Management CWE-391: Unchecked Error Condition •
CVE-2014-9644 – kernel: crypto api unprivileged arbitrary module load via request_module()
https://notcve.org/view.php?id=CVE-2014-9644
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421. La API Crypto en el kernel de Linux anterior a 3.18.5 permite a usuarios locales cargar módulos del kernel arbitrarios a través de una llamada al sistema de enlaces para un socket AF_ALG con una expresión de plantilla de módulos entre paréntesis en el campo salg_name, tal y como fue demostrado por la expresión vfat(aes), una vulnerabilidad diferente a CVE-2013-7421. A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=4943ba16bbc2db05115707b3ff7b4874e9e3c560 http://rhn.redhat.com/errata/RHSA-2016-0068.html http://www.debian.org/security/2015/dsa-3170 http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.5 http://www.mandriva.com/security/advisories?name=MDVSA-2015:057 http://www.mandriva.com/security/advisories?name=MDVSA-2015:058 http://www.openwall.com/lists/oss-security/2015/01/24/4 http://www. • CWE-269: Improper Privilege Management CWE-749: Exposed Dangerous Method or Function •
CVE-2015-1593 – kernel: Linux stack ASLR implementation Integer overflow
https://notcve.org/view.php?id=CVE-2015-1593
The stack randomization feature in the Linux kernel before 3.19.1 on 64-bit platforms uses incorrect data types for the results of bitwise left-shift operations, which makes it easier for attackers to bypass the ASLR protection mechanism by predicting the address of the top of the stack, related to the randomize_stack_top function in fs/binfmt_elf.c and the stack_maxrandom_size function in arch/x86/mm/mmap.c. La característica de aleatoriedad de la pila en el Kernel de Linux anterior a 3.19.1 en plataformas de 64-bits utiliza un tipo de datos incorrecto por el resultado de operaciones de bitwise left-shift, lo que hace que sea más fácil para atacantes evadir el mecanismo de protección ASLR prediciendo direcciones del tope de la pila, relacionado con la función andomize_stack_top en fs/binfmt_elf.c y la función stack_maxrandom_size en arch/x86/mm/mmap.c. An integer overflow flaw was found in the way the Linux kernel randomized the stack for processes on certain 64-bit architecture systems, such as x86-64, causing the stack entropy to be reduced by four. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 http://hmarco.org/bugs/linux-ASLR-integer-overflow.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html http://rhn.redhat.com/errata/RHSA-2015-1137.html http://rhn.redhat.com/errata/RHSA-2015-1138.html http://rhn.redhat.com/errata/RHSA-2015-1221.html http://www.debi • CWE-190: Integer Overflow or Wraparound CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-5332
https://notcve.org/view.php?id=CVE-2014-5332
Race condition in NVMap in NVIDIA Tegra Linux Kernel 3.10 allows local users to gain privileges via a crafted NVMAP_IOC_CREATE IOCTL call, which triggers a use-after-free error, as demonstrated by using a race condition to escape the Chrome sandbox. Condición de carrera en NVMap en NVIDIA Tegra Linux Kernel 3.10 permite a usuarios locales obtener privilegios a través de una llamada IOCTL NVMAP_IOC_CREATE manipulada, lo que desencadena un error de uso después de liberación de memoria, según lo demostrado mediante el uso de una condición de carrera para escapar del sandbox de Chrome. • http://googleprojectzero.blogspot.com/2015/01/exploiting-nvmap-to-escape-chrome.html http://nvidia.custhelp.com/app/answers/detail/a_id/3618 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2014-7822 – Linux Kernel 3.13/3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service
https://notcve.org/view.php?id=CVE-2014-7822
The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem. La implementación de ciertas operaciones de archivo splice_write en el kernel de Linux anterior a 3.16 no fuerza una restricción en el tamaño máximo de un archivo, lo que permite a usaurios locales causar una denegación de servicio (caída del sistema) o la posibilidad de tener otro impacto no especificado a través de llamadas anidadas al sistema modificadas, como se ha demostrado mediante el uso de un archivo descriptor asociado con sistemas de ficheros ext4. A flaw was found in the way the Linux kernel's splice() system call validated its parameters. On certain file systems, a local, unprivileged user could use this flaw to write past the maximum file size, and thus crash the system. • https://www.exploit-db.com/exploits/36743 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=8d0207652cbe27d1f962050737848e5ad4671958 http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00008.html http://lists.opensuse.org/opensuse-security-ann • CWE-264: Permissions, Privileges, and Access Controls •