A couple of unpleasant local kernel vulnerabilities
| From: | Jesse Hertz <Jesse.Hertz-XWfolncgt93ild4v1x/yGg-AT-public.gmane.org> | |
| To: | "oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8-AT-public.gmane.org" <oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8-AT-public.gmane.org> | |
| Subject: | Linux CVE-2016-4997 (local privilege escalation) and CVE-2016-4998 (out of bounds memory access) | |
| Date: | Fri, 24 Jun 2016 18:53:53 +0000 | |
| Message-ID: | <466B898A-FC0D-4106-A0AB-4DD755C3053E@nccgroup.trust> |
Hi All, As part of a kernel fuzzing project by myself and my colleague Tim Newsham, we are disclosing two vulnerabilities which have been assigned CVEs. Full details of the fuzzing project (with analysis of the vulnerabilities) will be released next week. These issues are fixed in the following commits http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d04 <http://git.kernel.org/cgit/linux/kernel/git/torvalds/linu...> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb088 <http://git.kernel.org/cgit/linux/kernel/git/torvalds/linu...> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968 <http://git.kernel.org/cgit/linux/kernel/git/torvalds/linu...> And have now been integrated into stable kernel releases: 3.14.73, 4.4.14, and 4.6.3. Theses issues occurs in the same codepaths as, but are distinct from, a similar vulnerability: CVE-2016-3134 (https://bugs.chromium.org/p/project-zero/issues/detail?id=758 <https://bugs.chromium.org/p/project-zero/issues/detail?id...>). ######### CVE-2016-4997: Corrupted offset allows for arbitrary decrements in compat IPT_SO_SET_REPLACE setsockopt Risk: High Impact: Kernel memory corruption, leading to elevation of privileges or kernel code execution. This occurs in a compat_setsockopt() call that is normally restricted to root, however, Linux 3/4 kernels that support user and network namespaces can allow an unprivileged user to trigger this functionality. This is exploitable from inside a container. ########## CVE-2016-4998: Out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt Risk: Medium Impact: Out of bounds heap memory access, leading to a Denial of Service (or possibly heap disclosure or further impact). This occurs in a setsockopt() call that is normally restricted to root, however, Linux 3/4 kernels that support user and network namespaces can allow an unprivileged user to trigger this functionality. This is exploitable from inside a container. ########## Best, -jh
Posted Jun 26, 2016 6:17 UTC (Sun)
by arekm (guest, #4846)
[Link] (2 responses)
Posted Jun 27, 2016 2:27 UTC (Mon)
by rich0 (guest, #55509)
[Link]
Can the foundation just come out with one policy, and follow it for all stable versions?
Do I need to avoid non-Greg kernels if I want security updates before they're disclosed?
Posted Jul 15, 2016 7:11 UTC (Fri)
by arekm (guest, #4846)
[Link]
Posted Jun 27, 2016 2:40 UTC (Mon)
by kenmoffat (subscriber, #4807)
[Link] (1 responses)
I'm not treating this as a typo because the link specifically mentions 4.6.3. Or is the statement that they were committed in 4.6-rc wrong ?
Googling for the (start of) the SHA of that third commit indicated it went into the 3.12 tree in April, so 4.6-rc seems to be correct - at least for that commit.
Posted Jun 27, 2016 20:37 UTC (Mon)
by BenHutchings (subscriber, #37955)
[Link]
For 3.14.73 Greg also picked several earlier netfilter fixes, also covering CVE-2016-3134.
A couple of unpleasant local kernel vulnerabilities
A couple of unpleasant local kernel vulnerabilities
A couple of unpleasant local kernel vulnerabilities
A couple of unpleasant local kernel vulnerabilities
A couple of unpleasant local kernel vulnerabilities