CVE-2018-1000204

kernel: Infoleak caused by incorrect handling of the SG_IO ioctl

Severity Score

5.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it "virtually impossible to exploit.

** EN DISPUTA ** El kernel de Linux desde la versión 3.18 hasta la 4.16 manipula incorrectamente una llamada IOCTL SG_IO en /dev/sg0 con dxfer_direction=SG_DXFER_FROM_DEV y un cmdp de 6 bytes vacío. Esto puede permitir que se copien hasta 1000 páginas de la memoria dinámica (heap) del kernel al espacio de usuario. Esto ya se ha resuelto en versiones upstream en https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824. El problema tiene un alcance limitado, ya que los usuarios no suelen tener permisos para acceder a los dispositivos SCSI. Por otro lado, por ejemplo, el manual de usuario de Nero sugiere hacer "chmod o+r+w /dev/sg*" para que los dispositivos sean accesibles. NOTA: terceros cuestionan la relevancia de este informe, señalando que el requisito de que un atacante tenga las capacidades CAP_SYS_ADMIN y CAP_SYS_RAWIO lo hace "virtualmente imposible de explotar".

A malformed SG_IO ioctl issued for a SCSI device in the Linux kernel leads to a local kernel data leak manifesting in up to approximately 1000 memory pages copied to the userspace. The problem has limited scope as non-privileged users usually have no permissions to access SCSI device files.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-06-08 CVE Reserved
2018-06-26 CVE Published
2024-08-05 CVE Updated
2024-08-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (15)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2018/06/26/3	Mailing List
https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html	Mailing List
https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html	Mailing List
https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824	2024-05-17

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00043.html	2024-05-17
https://access.redhat.com/errata/RHSA-2018:2948	2024-05-17
https://usn.ubuntu.com/3696-1	2024-05-17
https://usn.ubuntu.com/3696-2	2024-05-17
https://usn.ubuntu.com/3752-1	2024-05-17
https://usn.ubuntu.com/3752-2	2024-05-17
https://usn.ubuntu.com/3752-3	2024-05-17
https://usn.ubuntu.com/3754-1	2024-05-17
https://access.redhat.com/security/cve/CVE-2018-1000204	2018-10-30
https://bugzilla.redhat.com/show_bug.cgi?id=1589324	2018-10-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.18 <= 4.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.18 <= 4.16"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected