CVE-2014-1737
kernel: block: floppy: privilege escalation via FDRAWCMD floppy ioctl command
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.
La funciĆ³n raw_cmd_copyin en drivers/block/floppy.c en el kernel de Linux hasta 3.14.3 no maneja debidamente condiciones de error durante el procesado de una llamada FDRAWCMD ioctl, lo que permite a usuarios locales provocar operaciones kfree y ganar privilegios mediante el aprovechamiento de acceso de escritura hacia un dispositivo /dev/fd.
A flaw was found in the way the Linux kernel's floppy driver handled user space provided data in certain error code paths while processing FDRAWCMD IOCTL commands. A local user with write access to /dev/fdX could use this flaw to free (using the kfree() function) arbitrary kernel memory. (CVE-2014-1737, Important)
It was found that the Linux kernel's floppy driver leaked internal kernel memory addresses to user space during the processing of the FDRAWCMD IOCTL command. A local user with write access to /dev/fdX could use this flaw to obtain information about the kernel heap arrangement. (CVE-2014-1738, Low)
Note: A local user with write access to /dev/fdX could use these two flaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate their privileges on the system.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-01-29 CVE Reserved
- 2014-05-11 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-754: Improper Check for Unusual or Exceptional Conditions
CAPEC
References (19)
URL | Tag | Source |
---|---|---|
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=ef87dbe7614341c2e7bfe8d32fcb7028cc97442c | X_refsource_confirm | |
http://linux.oracle.com/errata/ELSA-2014-0771.html | X_refsource_confirm | |
http://linux.oracle.com/errata/ELSA-2014-3043.html | X_refsource_confirm | |
http://secunia.com/advisories/59262 | Third Party Advisory | |
http://secunia.com/advisories/59309 | Third Party Advisory | |
http://secunia.com/advisories/59406 | Third Party Advisory | |
http://secunia.com/advisories/59599 | Third Party Advisory | |
http://www.openwall.com/lists/oss-security/2014/05/09/2 | Mailing List | |
http://www.securityfocus.com/bid/67300 | Vdb Entry | |
http://www.securitytracker.com/id/1030474 | Vdb Entry | |
https://github.com/torvalds/linux/commit/ef87dbe7614341c2e7bfe8d32fcb7028cc97442c | X_refsource_confirm |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 3.2.59 Search vendor "Linux" for product "Linux Kernel" and version " < 3.2.59" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.3 < 3.4.90 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.4.90" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.5 < 3.10.40 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.5 < 3.10.40" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.11 < 3.12.20 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.20" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 3.14.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.14.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Linux Search vendor "Oracle" for product "Linux" | 5 Search vendor "Oracle" for product "Linux" and version "5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Linux Search vendor "Oracle" for product "Linux" | 6 Search vendor "Oracle" for product "Linux" and version "6" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 6.0 Search vendor "Debian" for product "Debian Linux" and version "6.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||
Suse Search vendor "Suse" | Linux Enterprise Desktop Search vendor "Suse" for product "Linux Enterprise Desktop" | 11 Search vendor "Suse" for product "Linux Enterprise Desktop" and version "11" | sp3 |
Affected
| ||||||
Suse Search vendor "Suse" | Linux Enterprise High Availability Extension Search vendor "Suse" for product "Linux Enterprise High Availability Extension" | 11 Search vendor "Suse" for product "Linux Enterprise High Availability Extension" and version "11" | sp3 |
Affected
| ||||||
Suse Search vendor "Suse" | Linux Enterprise Real Time Extension Search vendor "Suse" for product "Linux Enterprise Real Time Extension" | 11 Search vendor "Suse" for product "Linux Enterprise Real Time Extension" and version "11" | sp3 |
Affected
| ||||||
Suse Search vendor "Suse" | Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server" | 11 Search vendor "Suse" for product "Linux Enterprise Server" and version "11" | sp3 |
Affected
| ||||||
Suse Search vendor "Suse" | Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server" | 11 Search vendor "Suse" for product "Linux Enterprise Server" and version "11" | sp3, vmware |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus" | 5.6 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "5.6" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus" | 6.3 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "6.3" | - |
Affected
|