CVE-2015-3636
kernel: ping sockets: use-after-free leading to local privilege escalation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.
Vulnerabilidad en la función ping_unhash en net/ipv4/ping.c en el kernel de Linux en versiones anteriores a 4.0.3, no inicializa una cierta estructura de datos de lista durante una operación unhash, lo que permite a usuarios locales obtener privilegios o causar una denegación de servicio (uso después de liberación de memoria y caída del sistema) mediante el aprovechamiento de la capacidad de hacer una llamada a un socket de sistema SOCK_DGRAM para el protocolo IPROTO_ICMP o IPROTO_ICMPV6 y entonces hacer una llamada al sistema de conexión tras una desconexión.
It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-05-02 CVE Reserved
- 2015-06-10 CVE Published
- 2015-09-28 First Exploit
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-416: Use After Free
CAPEC
References (31)
| URL | Tag | Source |
|---|---|---|
| http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a134f083e79fb4c3d0a925691e732c56911b4326 | X_refsource_confirm | |
| http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.0.3 | X_refsource_confirm | |
| http://www.openwall.com/lists/oss-security/2015/05/02/5 | Mailing List |
|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/74450 | Vdb Entry | |
| http://www.securitytracker.com/id/1033186 | Vdb Entry | |
| https://github.com/torvalds/linux/commit/a134f083e79fb4c3d0a925691e732c56911b4326 | X_refsource_confirm |
| URL | Date | SRC |
|---|---|---|
| https://github.com/fi01/CVE-2015-3636 | 2015-09-28 | |
| https://github.com/a7vinx/CVE-2015-3636 | 2017-01-03 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | <= 4.0.2 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.0.2" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Affected
| ||||||