[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Linux CVE-2016-4997 (local privilege escalation) and CVE-2016-4998 (out of bounds mem
From: Jesse Hertz <Jesse.Hertz () nccgroup ! trust>
Date: 2016-06-24 18:53:53
Message-ID: 466B898A-FC0D-4106-A0AB-4DD755C3053E () nccgroup ! trust
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi All,
As part of a kernel fuzzing project by myself and my colleague Tim Newsham, we are disclosing \
two vulnerabilities which have been assigned CVEs. Full details of the fuzzing project (with \
analysis of the vulnerabilities) will be released next week.
These issues are fixed in the following commits
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d04 \
<http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d04> \
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb088 \
<http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb088> \
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968 \
<http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968>
And have now been integrated into stable kernel releases: 3.14.73, 4.4.14, and 4.6.3.
Theses issues occurs in the same codepaths as, but are distinct from, a similar vulnerability: \
CVE-2016-3134 (https://bugs.chromium.org/p/project-zero/issues/detail?id=758 \
<https://bugs.chromium.org/p/project-zero/issues/detail?id=758>).
#########
CVE-2016-4997: Corrupted offset allows for arbitrary decrements in compat IPT_SO_SET_REPLACE \
setsockopt
Risk: High
Impact: Kernel memory corruption, leading to elevation of privileges or kernel code execution. \
This occurs in a compat_setsockopt() call that is normally restricted to root, however, Linux \
3/4 kernels that support user and network namespaces can allow an unprivileged user to trigger \
this functionality. This is exploitable from inside a container.
##########
CVE-2016-4998: Out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt
Risk: Medium
Impact: Out of bounds heap memory access, leading to a Denial of Service (or possibly heap \
disclosure or further impact). This occurs in a setsockopt() call that is normally restricted \
to root, however, Linux 3/4 kernels that support user and network namespaces can allow an \
unprivileged user to trigger this functionality. This is exploitable from inside a container.
##########
Best,
-jh
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body \
style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" \
class=""><div class="">Hi All,</div><div class=""><br class=""></div><div class=""><span \
class="" style="word-wrap: break-word; text-rendering: optimizelegibility;">As part of a kernel \
fuzzing project by myself and my colleague Tim Newsham, we are disclosing two vulnerabilities \
which have been assigned CVEs. F</span>ull details of the fuzzing project (with analysis of the \
vulnerabilities) will be released next week. </div><div class=""><span class="" \
style="word-wrap: break-word; text-rendering: optimizelegibility;"><br \
class=""></span></div><div class=""><span class="" style="word-wrap: break-word; \
text-rendering: optimizelegibility;">These issues are fixed in the following \
commits</span></div><div class=""><br class=""></div><div class=""><div class=""><a \
href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d04" \
class="">http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d04</a><br \
class=""><a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb088" \
class="">http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb088</a><br \
class=""><a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968" \
class="">http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968</a><br \
class=""></div><br class=""></div><div class=""><div class=""><span class="" style="word-wrap: \
break-word; text-rendering: optimizelegibility;">And have now been integrated into stable \
kernel releases: </span>3.14.73, 4.4.14, and 4.6.3. </div><div class=""><br \
class=""></div></div><div class="">Theses issues occurs in the same codepaths as, but are \
distinct from, a similar vulnerability: CVE-2016-3134 (<a \
href="https://bugs.chromium.org/p/project-zero/issues/detail?id=758" \
class="">https://bugs.chromium.org/p/project-zero/issues/detail?id=758</a>). </div><div \
class=""><br class=""></div><div class="">#########</div><div class=""><br class=""></div><div \
class=""><div class="">CVE-2016-4997: Corrupted offset allows for arbitrary decrements in \
compat IPT_SO_SET_REPLACE setsockopt<br class=""><br class="">Risk: High</div><div class=""><br \
class=""></div><div class="">Impact: Kernel memory corruption, leading to elevation of \
privileges or kernel code execution. This occurs in a compat_setsockopt() call that is normally \
restricted to root, however, Linux 3/4 kernels that support user and network namespaces can \
allow an unprivileged user to trigger this functionality. This is exploitable from inside a \
container. </div><div class=""><br class=""></div><div class=""><div class=""><div \
class=""><div class=""><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;"><div class=""><div class=""><div class="" \
style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;"><div class=""><div class=""><div class="" style="word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class=""><div \
class="">##########</div></div></div></div></div></div></div></div></div></div></div></div></div><div \
class=""><br class=""></div><div class=""><div class="">CVE-2016-4998: Out of bounds reads when \
processing IPT_SO_SET_REPLACE setsockopt</div><div class=""><div class=""><div class="" \
style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;"><div class=""><div class=""><div class="" style="word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class=""><div \
class=""><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;"><div class=""><div class=""><br \
class=""></div></div></div></div><div class=""><div class="" style="word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class=""><div \
class="">Risk: Medium<br class=""><br class=""></div><div class="">Impact: Out of bounds heap \
memory access, leading to a Denial of Service (or possibly heap disclosure or further impact). \
This occurs in a setsockopt() call that is normally restricted to root, however, Linux 3/4 \
kernels that support user and network namespaces can allow an unprivileged user to trigger this \
functionality. This is exploitable from inside a container. </div><div class=""><br \
class=""></div><div class="">##########</div></div></div></div></div></div></div></div></div></div></div></div><div \
class=""><br class=""></div><div class=""><br class=""></div><div class="">Best,</div><div \
class="">-jh</div></div></body></html>
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJXbYHAAAoJEPhkPVYKhDWbkdAIAJlN7g3F7vQ75EhBTzTpa6pd
ikSRoId4MGrVI99dlxgJOzzqUGkaQrtJndYIigUfEyZY8wrMfshaAZv3Mi6btari
R52R5ib0c3qS2hBl31MU4ZLOilMmoPUsPDN+kc+hptZugSkyZYhISfC8jQSmoSru
naqTqeCsl+sxI4zJA8Z8NEYJKRem9VsO7iJ1Xcp6l2flJytI9O0JTqMtucPpPzPO
lGzcYgEBrmw5d0YFS9K//cUxHOTqiyKj/RpZyWvEmSqSNcRhHb0bTUiPmLFHFzxJ
WaUyIvv+eXqvbGV1m9bMPv+HG4U7kfonG7YGIxf/P+t4uCDI9zKzu2i2mfjE4o0=
=yPlh
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic