CVE-2019-19241
Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.
En el kernel de Linux versiones anteriores a la versión 5.4.2, la característica io_uring genera peticiones que inadvertidamente tienen UID 0 y capacidades completas, también se conoce como CID-181e448d8709. Esto está relacionado con los archivos fs/io-wq.c, fs/io_uring.c, y net/socket.c. Por ejemplo, un atacante puede eludir las restricciones previstas para agregar una dirección IPv4 a la interfaz de bucle invertido. Esto ocurre porque las operaciones IORING_OP_SENDMSG, aunque se solicitan en el contexto de un usuario sin privilegios, a veces las realiza un subproceso de trabajo del kernel sin tener en cuenta ese contexto.
Linux suffers from a privilege escalation vulnerability via io_uring offload of sendmsg() onto kernel thread with kernel creds.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-11-25 CVE Reserved
- 2019-12-16 CVE Published
- 2019-12-16 First Exploit
- 2024-08-05 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://bugs.chromium.org/p/project-zero/issues/detail?id=1975 | Mailing List | |
https://security.netapp.com/advisory/ntap-20200103-0001 | X_refsource_confirm |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/47779 | 2019-12-16 |
URL | Date | SRC |
---|---|---|
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.2 | 2020-08-24 | |
https://usn.ubuntu.com/4284-1 | 2020-08-24 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.4.2 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.2" | - |
Affected
|