CVE-2014-4699
Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Privilege Escalation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
El kernel de Linux anterior a 3.15.4 en los procesadores Intel no restringe debidamente el uso de un valor no canónico para la dirección RIP guardada en el caso de una llamada del sistema que no utilice IRET, lo que permite a usuarios locales aprovechar una condición de carrera y ganar privilegios, o causar una denegación de servicio (fallo doble), a través de una aplicación manipulada que realice llamadas de sistemas ptrace y fork.
It was found that the Linux kernel's ptrace subsystem allowed a traced process' instruction pointer to be set to a non-canonical memory address without forcing the non-sysret code path when returning to user space. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
Note: The CVE-2014-4699 issue only affected systems using an Intel CPU.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-06-30 CVE Reserved
- 2014-07-06 CVE Published
- 2014-07-21 First Exploit
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
- CWE-642: External Control of Critical State Data
CAPEC
References (35)
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/34134 | 2014-07-21 | |
| http://packetstormsecurity.com/files/127573/Linux-Kernel-ptrace-sysret-Local-Privilege-Escalation.html | 2024-08-06 | |
| http://www.exploit-db.com/exploits/34134 | 2024-08-06 |
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1115927 | 2014-07-28 | |
| https://github.com/torvalds/linux/commit/b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a | 2024-02-16 |
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2014/dsa-2972 | 2024-02-16 | |
| http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.4 | 2024-02-16 | |
| http://www.ubuntu.com/usn/USN-2266-1 | 2024-02-16 | |
| http://www.ubuntu.com/usn/USN-2267-1 | 2024-02-16 | |
| http://www.ubuntu.com/usn/USN-2268-1 | 2024-02-16 | |
| http://www.ubuntu.com/usn/USN-2269-1 | 2024-02-16 | |
| http://www.ubuntu.com/usn/USN-2270-1 | 2024-02-16 | |
| http://www.ubuntu.com/usn/USN-2271-1 | 2024-02-16 | |
| http://www.ubuntu.com/usn/USN-2272-1 | 2024-02-16 | |
| http://www.ubuntu.com/usn/USN-2273-1 | 2024-02-16 | |
| http://www.ubuntu.com/usn/USN-2274-1 | 2024-02-16 | |
| https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.47 | 2024-02-16 | |
| https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.11 | 2024-02-16 | |
| https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.97 | 2024-02-16 | |
| https://access.redhat.com/security/cve/CVE-2014-4699 | 2014-07-28 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.17 < 3.2.61 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.17 < 3.2.61" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.3 < 3.4.97 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.4.97" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.5 < 3.10.47 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.5 < 3.10.47" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.11 < 3.12.25 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.25" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 3.14.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.14.11" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.15 < 3.15.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.15 < 3.15.4" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 10.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "10.04" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | esm |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 13.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "13.10" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | esm |
Affected
| ||||||