CVE-2016-4565

kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The InfiniBand (aka IB) stack in the Linux kernel before 4.5.3 incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface.

La memoria de pila InfiniBand (también conocida como IB) en el kernel de Linux en versiones anteriores a 4.5.3 confía incorrectamente en llamadas al sistema de escritura, lo que permite a usuarios locales provocar una denegación de servicio (operación de escritura en la memoria del kernel) o posiblemente tener otro impacto no especificado a través de una interfaz uAPI.

A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-05-07 CVE Reserved
2016-05-23 CVE Published
2023-03-08 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (54)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2016/05/07/1	Mailing List
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html	Third Party Advisory
http://www.securityfocus.com/bid/90301	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00003.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00008.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00009.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00014.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00015.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00016.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00017.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00018.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00019.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00020.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00021.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00022.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00023.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00026.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html	2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html	2023-01-17
http://rhn.redhat.com/errata/RHSA-2016-1489.html	2023-01-17
http://rhn.redhat.com/errata/RHSA-2016-1581.html	2023-01-17
http://rhn.redhat.com/errata/RHSA-2016-1617.html	2023-01-17
http://rhn.redhat.com/errata/RHSA-2016-1640.html	2023-01-17
http://rhn.redhat.com/errata/RHSA-2016-1657.html	2023-01-17
http://rhn.redhat.com/errata/RHSA-2016-1814.html	2023-01-17
http://www.debian.org/security/2016/dsa-3607	2023-01-17
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.3	2023-01-17
http://www.ubuntu.com/usn/USN-3001-1	2023-01-17
http://www.ubuntu.com/usn/USN-3002-1	2023-01-17
http://www.ubuntu.com/usn/USN-3003-1	2023-01-17
http://www.ubuntu.com/usn/USN-3004-1	2023-01-17
http://www.ubuntu.com/usn/USN-3005-1	2023-01-17
http://www.ubuntu.com/usn/USN-3006-1	2023-01-17
http://www.ubuntu.com/usn/USN-3007-1	2023-01-17
http://www.ubuntu.com/usn/USN-3018-1	2023-01-17
http://www.ubuntu.com/usn/USN-3018-2	2023-01-17
http://www.ubuntu.com/usn/USN-3019-1	2023-01-17
http://www.ubuntu.com/usn/USN-3021-1	2023-01-17
http://www.ubuntu.com/usn/USN-3021-2	2023-01-17
https://access.redhat.com/errata/RHSA-2016:1277	2023-01-17
https://access.redhat.com/errata/RHSA-2016:1301	2023-01-17
https://access.redhat.com/errata/RHSA-2016:1341	2023-01-17
https://access.redhat.com/errata/RHSA-2016:1406	2023-01-17
https://bugzilla.redhat.com/show_bug.cgi?id=1310570	2016-09-06
https://github.com/torvalds/linux/commit/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3	2023-01-17
https://access.redhat.com/security/cve/CVE-2016-4565	2016-09-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 3.2.81 Search vendor "Linux" for product "Linux Kernel" and version " < 3.2.81"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.3 < 3.10.103 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.10.103"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.11 < 3.12.61 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.61"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 3.14.76 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.14.76"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.15 < 3.16.36 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.15 < 3.16.36"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.17 < 3.18.34 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.34"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 4.1.25 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.1.25"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 4.4.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.4.9"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.5 < 4.5.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.5.3"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				15.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected