CVE-2018-1095

kernel: out-of-bound access in fs/posix_acl.c:get_acl() causes crash with crafted ext4 image

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The ext4_xattr_check_entries function in fs/ext4/xattr.c in the Linux kernel through 4.15.15 does not properly validate xattr sizes, which causes misinterpretation of a size as an error code, and consequently allows attackers to cause a denial of service (get_acl NULL pointer dereference and system crash) via a crafted ext4 image.

La función ext4_xattr_check_entries en fs/ext4/xattr.c en el kernel de Linux hasta la versión 4.15.15 no valida correctamente los tamaños de xattr, lo que provoca una malinterpretación de un tamaño como un código de error y, en consecuencia, permite que los atacantes provoquen una denegación de servicio (desreferencia de puntero NULL en get_acl y cierre inesperado del sistema) mediante una imagen ext4 manipulada.

The Linux kernel is vulnerable to an out-of-bound access bug in the fs/posix_acl.c:get_acl() function. An attacker could trick a legitimate user or a privileged attacker could exploit this to cause a system crash or other unspecified impact with a crafted ext4 image. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Physical

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-12-04 CVE Reserved
2018-04-02 CVE Published
2023-03-26 EPSS Updated
2024-08-05 CVE Updated
2024-08-05 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (8)

URL	Tag	Source
http://openwall.com/lists/oss-security/2018/03/29/1	Mailing List

URL	Date	SRC
https://bugzilla.kernel.org/show_bug.cgi?id=199185	2024-08-05

URL	Date	SRC
https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?id=ce3fd194fcc6fbdc00ce095a852f22df97baa401	2023-02-13

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:2948	2023-02-13
https://bugzilla.redhat.com/show_bug.cgi?id=1560793	2018-10-30
https://usn.ubuntu.com/3695-1	2023-02-13
https://usn.ubuntu.com/3695-2	2023-02-13
https://access.redhat.com/security/cve/CVE-2018-1095	2018-10-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 4.15.15 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.15.15"		-		Affected