CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6921
https://notcve.org/view.php?id=CVE-2018-6921
In FreeBSD before 11.1-STABLE(r332066) and 11.1-RELEASE-p10, due to insufficient initialization of memory copied to userland in the network subsystem, small amounts of kernel memory may be disclosed to userland processes. Unprivileged authenticated local users may be able to access small amounts of privileged kernel data. En FreeBSD, en versiones anteriores a la 11.1-STABLE(r332066) and 11.1-RELEASE-p10, debido a la insuficiente inicialización de la memoria copiada en userland en el subsistema de Linux, pequeñas cantidades de la memoria del kernel pueden divulgarse a los procesos de userland. Los usuarios locales sin privilegios autenticados podrían ser capaces de acceder a pequeñas cantidades de datos privilegiados del kernel. • http://www.securityfocus.com/bid/104118 https://security.FreeBSD.org/advisories/FreeBSD-EN-18:05.mem.asc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 24EXPL: 5CVE-2018-8897 – Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability
https://notcve.org/view.php?id=CVE-2018-8897
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. • https://www.exploit-db.com/exploits/44697 https://www.exploit-db.com/exploits/45024 https://github.com/can1357/CVE-2018-8897 https://github.com/nmulasmajic/CVE-2018-8897 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 http://openwall.com/lists/oss-security/2018/05/08/1 http://openwall.com/lists/oss-security/2018/05/08/4 http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190921-01-debug-en http: • CWE-250: Execution with Unnecessary Privileges CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-6917
https://notcve.org/view.php?id=CVE-2018-6917
In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELEASE-p8 and 10.3-RELEASE-p28, insufficient validation of user-provided font parameters can result in an integer overflow, leading to the use of arbitrary kernel memory as glyph data. Unprivileged users may be able to access privileged kernel data. En FreeBSD, en versiones anteriores a 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELEASE-p8 y 10.3-RELEASE-p28, la validación insuficiente de parámetros de fuente proporcionados por el usuario pueden resultar en un desbordamiento de enteros que conduce al uso de memoria arbitraria del kernel como datos glyph. Los usuarios sin privilegios podrían ser capaces de acceder a datos privilegiados del kernel. • http://www.securityfocus.com/bid/103668 http://www.securitytracker.com/id/1040629 https://security.FreeBSD.org/advisories/FreeBSD-SA-18:04.vt.asc • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-6918
https://notcve.org/view.php?id=CVE-2018-6918
In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELEASE-p8 and 10.3-RELEASE-p28, the length field of the ipsec option header does not count the size of the option header itself, causing an infinite loop when the length is zero. This issue can allow a remote attacker who is able to send an arbitrary packet to cause the machine to crash. En FreeBSD, en versiones anteriores a 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELEASE-p8 y 10.3-RELEASE-p28, el campo length de la cabecera de opción ipsec no cuenta el tamaño de la propia cabecera de opción. Esto provoca un bucle infinito cuando la longitud es cero. Este problema puede permitir que un atacante remoto que pueda enviar un paquete arbitrario haga que la máquina se cierre inesperadamente. • http://seclists.org/fulldisclosure/2019/Jun/6 http://www.securityfocus.com/bid/103666 http://www.securitytracker.com/id/1040628 https://seclists.org/bugtraq/2019/May/77 https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc https://support.apple.com/kb/HT210090 https://support.apple.com/kb/HT210091 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-6919
https://notcve.org/view.php?id=CVE-2018-6919
In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELEASE-p8 and 10.3-RELEASE-p28, due to insufficient initialization of memory copied to userland, small amounts of kernel memory may be disclosed to userland processes. Unprivileged users may be able to access small amounts privileged kernel data. En FreeBSD, en versiones anteriores a 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELEASE-p8 y 10.3-RELEASE-p28, debido a la insuficiente inicialización de la memoria copiada al espacio de usuario. Los usuarios sin privilegios podrían ser capaces de acceder pequeñas cantidades de datos privilegiados del kernel. • http://www.securityfocus.com/bid/103760 https://security.FreeBSD.org/advisories/FreeBSD-EN-18:04.mem.asc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •