// For flags

CVE-2015-2925

Kernel: vfs: Do not allow escaping from bind mounts

Severity Score

6.9
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."

La función prepend_path en fs/dcache.c en el kernel Linux en versiones anteriores a 4.2.4 no maneja adecuadamente el cambio de nombre de las acciones dentro de un enlace de montaje, lo que permite a usuarios locales eludir un mecanismo de protección destinado al contenedor mediante el cambio de nombre de un directorio, relacionado con un 'double-chroot attack'.

A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Local
Attack Complexity
High
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-04-04 CVE Reserved
  • 2015-09-23 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-08-22 First Exploit
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-254: 7PK - Security Features
CAPEC
References (36)
URL Tag Source
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=397d425dc26da728396e66d392d5dcb8dac30c37 X_refsource_confirm
http://permalink.gmane.org/gmane.linux.kernel.containers/29173 Mailing List
http://permalink.gmane.org/gmane.linux.kernel.containers/29177 Mailing List
http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f22&id=520b64102de2f184036024b2a53de2b67463bd78 X_refsource_confirm
http://www.openwall.com/lists/oss-security/2015/04/04/4 Mailing List
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html X_refsource_confirm
http://www.securityfocus.com/bid/73926 Vdb Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1209373 X_refsource_confirm
URL Date SRC
https://github.com/Kagami/docker_cve-2015-2925 2024-08-22
URL Date SRC
URL Date SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cde93be45a8a90d8c264c776fab63487b5038a65 2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00005.html 2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00018.html 2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00007.html 2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00009.html 2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00017.html 2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00018.html 2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00019.html 2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00020.html 2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00021.html 2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00022.html 2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00034.html 2018-01-05
http://rhn.redhat.com/errata/RHSA-2015-2636.html 2018-01-05
http://rhn.redhat.com/errata/RHSA-2016-0068.html 2018-01-05
http://www.debian.org/security/2015/dsa-3364 2018-01-05
http://www.debian.org/security/2015/dsa-3372 2018-01-05
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.4 2018-01-05
http://www.ubuntu.com/usn/USN-2792-1 2018-01-05
http://www.ubuntu.com/usn/USN-2794-1 2018-01-05
http://www.ubuntu.com/usn/USN-2795-1 2018-01-05
http://www.ubuntu.com/usn/USN-2798-1 2018-01-05
http://www.ubuntu.com/usn/USN-2799-1 2018-01-05
https://bugzilla.redhat.com/show_bug.cgi?id=1209367 2016-01-26
https://github.com/torvalds/linux/commit/397d425dc26da728396e66d392d5dcb8dac30c37 2018-01-05
https://github.com/torvalds/linux/commit/cde93be45a8a90d8c264c776fab63487b5038a65 2018-01-05
https://access.redhat.com/security/cve/CVE-2015-2925 2016-01-26
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 <= 4.2.3
Search vendor "Linux" for product "Linux Kernel" and version " <= 4.2.3"
-
Affected