CVE-2021-3492 – Ubuntu linux kernel shiftfs file system double free vulnerability
https://notcve.org/view.php?id=CVE-2021-3492
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562. Shiftfs, un sistema de archivos de apilamiento fuera del árbol incluido en los kernels de Ubuntu Linux, no manejaba apropiadamente los fallos que ocurrían durante la función copy_from_user(). • https://github.com/synacktiv/CVE-2021-3492 http://packetstormsecurity.com/files/162614/Kernel-Live-Patch-Security-Notice-LSN-0077-1.html https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=25c891a949bf918b59cbc6e4932015ba4c35c333 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=8fee52ab9da87d82bc6de9ebb3480fff9b4d53e6 https://ubuntu.com/security/notices/USN-4917-1 https://www.openwall.com/lists/oss-security/2021/04/16/2 https: • CWE-401: Missing Release of Memory after Effective Lifetime CWE-415: Double Free •
CVE-2021-3493 – Linux Kernel Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-3493
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges. La implementación de overlayfs en el kernel de Linux no comprobó apropiadamente con respecto a los espacios de nombre de los usuarios, la configuración de las capacidades de los archivos en un sistema de archivos subyacente. Debido a la combinación de los espacios de nombre de usuarios no privilegiados junto con un parche incluido en el kernel de Ubuntu para permitir montajes de superposición no privilegiados, un atacante podría usar esto para alcanzar privilegios elevados The overlayfs stacking file system in Linux kernel does not properly validate the application of file capabilities against user namespaces, which could lead to privilege escalation. • https://github.com/briskets/CVE-2021-3493 https://github.com/inspiringz/CVE-2021-3493 https://github.com/oneoy/CVE-2021-3493 https://github.com/cerodah/overlayFS-CVE-2021-3493 https://github.com/derek-turing/CVE-2021-3493 https://github.com/puckiestyle/CVE-2021-3493 https://github.com/smallkill/CVE-2021-3493 https://github.com/Abdennour-py/CVE-2021-3493 https://github.com/fei9747/CVE-2021-3493 https://github.com/ptkhai15/OverlayFS---CVE-2021-3493 https://git • CWE-270: Privilege Context Switching Error CWE-863: Incorrect Authorization •
CVE-2021-3444 – Linux kernel bpf verifier incorrect mod32 truncation
https://notcve.org/view.php?id=CVE-2021-3444
The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 ("bpf: Fix truncation handling for mod32 dst reg wrt zero") and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. El comprobador bpf en el kernel de Linux no manejó apropiadamente el truncamiento del registro de destino mod32 cuando se sabía que el registro de origen era 0. Un atacante local con la habilidad de cargar programas bpf podría usar esta ganancia para lecturas fuera de límites en la memoria del kernel que conllevan a una divulgación de información (memoria del kernel) y, posiblemente, escrituras fuera de límites que podrían conllevar a una ejecución de código. • http://packetstormsecurity.com/files/162117/Kernel-Live-Patch-Security-Notice-LSN-0075-1.html http://packetstormsecurity.com/files/164950/Kernel-Live-Patch-Security-Notice-LSN-0082-1.html http://www.openwall.com/lists/oss-security/2021/03/23/2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9b00f1b78809 https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html https://security.netapp.com/advisory/ntap-20210416-0006 https://www.openwall.com/lists • CWE-125: Out-of-bounds Read CWE-681: Incorrect Conversion between Numeric Types •
CVE-2020-27171
https://notcve.org/view.php?id=CVE-2020-27171
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d. Se detectó un problema en el kernel de Linux versiones anteriores a 5.11.8. El archivo kernel/bpf/verifier.c presenta un error por un paso (con un subdesbordamiento de enteros resultante) afectando la especulación fuera de límites en la aritmética de punteros, conllevando a ataques de canal lateral que anulan las mitigaciones de Spectre y consiguen información confidencial de la memoria del kernel , también se conoce como CID-10d2bb2e6b1d • http://packetstormsecurity.com/files/162117/Kernel-Live-Patch-Security-Notice-LSN-0075-1.html http://www.openwall.com/lists/oss-security/2021/03/24/5 https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.11.8 https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899 https://lists.debian.org/debian-lts-announce/2021/03/msg00035.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FB6LUXPEIRLZH • CWE-193: Off-by-one Error •
CVE-2020-27170 – kernel: Speculation on pointer arithmetic against bpf_context pointer
https://notcve.org/view.php?id=CVE-2020-27170
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit. Se detectó un problema en el kernel de Linux versiones anteriores a 5.11.8. El archivo kernel/bpf/verifier.c lleva a cabo especulaciones no deseadas fuera de límites en aritmética de punteros, conllevando a ataques de canal lateral que anulan las mitigaciones de Spectre y consiguen información confidencial de la memoria del kernel, también se conoce como CID-f232326f6966. Esto afecta a los tipos de punteros que no definen un ptr_limit A flaw was found in the Linux kernels eBPF verification code. • http://packetstormsecurity.com/files/162117/Kernel-Live-Patch-Security-Notice-LSN-0075-1.html http://www.openwall.com/lists/oss-security/2021/03/24/4 https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.11.8 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 https://lists.debian.org/debian-lts-announce/2021/03/msg00035.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FB6LU • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •