The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Noyau Linux

vulnerability bulletin CVE-2014-9715

Linux kernel: denial of service via Netfilter Conntrack Ext

Synthesis of the vulnerability

An attacker can send some packets requiring a complex analysis by Netfilter Conntrack, in order to trigger a denial of service of the Linux kernel.
Impacted products: Debian, Linux, netfilter, openSUSE, RHEL, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 08/04/2015.
Identifiers: CERTFR-2015-AVI-236, CERTFR-2015-AVI-328, CVE-2014-9715, DSA-3237-1, openSUSE-SU-2016:0301-1, RHSA-2015:1534-01, RHSA-2015:1564-01, RHSA-2015:1565-01, USN-2611-1, USN-2612-1, USN-2613-1, USN-2614-1, VIGILANCE-VUL-16553.

Description of the vulnerability

The Linux kernel uses the Netfilter firewall, which implements the connection tracking in Conntrack.

The nf_ct_ext structure stores extensions required to track some protocols. However, the size of these extensions is stored in an 8 bit integer, whereas the cumulated size can be larger than 256 bytes in some cases (PPTP + NAT). Netfilter then tries to read an unreachable memory area, which triggers a fatal error.

An attacker can therefore send some packets requiring a complex analysis by Netfilter Conntrack, in order to trigger a denial of service of the Linux kernel.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2015-2925

Linux kernel: privilege escalation via Bind Mount

Synthesis of the vulnerability

An attacker can use a Bind Mount on the Linux kernel, in order to escalate his privileges.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, NSM Central Manager, NSMXpress, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: user shell.
Creation date: 03/04/2015.
Identifiers: CERTFR-2015-AVI-430, CERTFR-2015-AVI-498, CERTFR-2017-AVI-012, CERTFR-2017-AVI-022, CVE-2015-2925, DSA-3364-1, DSA-3372-1, FEDORA-2015-d7e074ba30, FEDORA-2015-dcc260f2f2, JSA10774, JSA10853, K31026324, openSUSE-SU-2015:1842-1, openSUSE-SU-2016:0301-1, RHSA-2015:2152-02, RHSA-2015:2411-01, RHSA-2015:2587-01, RHSA-2015:2636-01, SOL31026324, SUSE-SU-2015:2194-1, SUSE-SU-2015:2292-1, USN-2792-1, USN-2794-1, USN-2795-1, USN-2796-1, USN-2797-1, USN-2798-1, USN-2799-1, VIGILANCE-VUL-16535.

Description of the vulnerability

The "--bind" mode of mount can be used to mount a directory tree at several locations on the file system.

The Linux kernel supports containers to jail applications.

However, a local attacker can use a double mount of type bind, in order to access to resources located outside its container.

An attacker can therefore use a Bind Mount on the Linux kernel, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-2922 CVE-2015-2923 CVE-2015-2924

Linux kernel, FreeBSD: denial of service via IPv6 RA Hop Limit

Synthesis of the vulnerability

An attacker on the LAN can spoof ICMPv6 RA packets with a low Hop Limit, in order to trigger a denial of service of the Linux or FreeBSD IPv6 stacks.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, Android OS, Linux, openSUSE, Solaris, pfSense, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: LAN.
Number of vulnerabilities in this bulletin: 3.
Creation date: 03/04/2015.
Identifiers: bulletinoct2015, CERTFR-2015-AVI-198, CERTFR-2015-AVI-328, CERTFR-2015-AVI-357, CVE-2015-2922, CVE-2015-2923, CVE-2015-2924, DSA-3175-1, DSA-3175-2, DSA-3237-1, FEDORA-2015-6294, FEDORA-2015-6320, FEDORA-2015-7623, FreeBSD-SA-15:09.ipv6, K51518670, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, RHSA-2015:1221-01, RHSA-2015:1534-01, RHSA-2015:1564-01, RHSA-2015:1565-01, RHSA-2015:2315-01, SOL51518670, SUSE-SU-2015:1071-1, SUSE-SU-2015:1224-1, SUSE-SU-2015:1376-1, SUSE-SU-2015:1478-1, USN-2585-1, USN-2586-1, USN-2587-1, USN-2589-1, USN-2590-1, VIGILANCE-VUL-16534.

Description of the vulnerability

On a local network, IPv6 routers send the ICMPv6 Router Advertisement message to announce their presence. This packet contains a field named "Cur Hop Limit" indicating the default value that the IPv6 client should use in his Hop Count field.

The RFC 3756 recommends to ignore "Cur Hop Limit" containing a value lower than the current value. However, the Linux and FreeBSD implementations accepts to lower the Hop Count value to 1, which forbids the transmission of packets.

An attacker on the LAN can therefore spoof ICMPv6 RA packets with a low Hop Limit, in order to trigger a denial of service of the Linux or FreeBSD IPv6 stacks.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2015-2830

Linux kernel: privilege escalation via int80 fork

Synthesis of the vulnerability

A local attacker can use an interruption 128 for the fork() system call on the Linux kernel, in order to escalate his privileges.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 02/04/2015.
Identifiers: CERTFR-2015-AVI-198, CERTFR-2015-AVI-236, CERTFR-2015-AVI-254, CERTFR-2015-AVI-263, CVE-2015-2830, DSA-3237-1, openSUSE-SU-2016:0301-1, RHSA-2015:1137-01, RHSA-2015:1138-01, RHSA-2015:1139-01, RHSA-2015:1221-01, SUSE-SU-2015:1071-1, SUSE-SU-2015:1376-1, SUSE-SU-2015:1478-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, USN-2589-1, USN-2590-1, USN-2613-1, USN-2614-1, USN-2631-1, USN-2632-1, VIGILANCE-VUL-16525.

Description of the vulnerability

The interruption 0x80 performs a system call (syscall).

The Linux kernel can be installed on a x86_64 computer, and configured with the 32 bits emulation. However, in this case, the interruption 0x80 for fork() or close() returns in an incorrect state, which disturbs the seccomp and audit features. It may then be possible to escape from a seccomp sandbox.

A local attacker can therefore use an interruption 128 for the fork() system call on the Linux kernel, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 16484

Linux kernel: weakness of ASLR on AMD Bulldozer

Synthesis of the vulnerability

An attacker can use a weakness of ASLR of the Linux kernel on AMD Bulldozer processors, in order to more easily guess a memory address.
Impacted products: Linux.
Severity: 1/4.
Consequences: data reading.
Provenance: user account.
Creation date: 27/03/2015.
Identifiers: VIGILANCE-VUL-16484.

Description of the vulnerability

Systems use ASLR in order to randomize memory addresses used by programs and libraries.

The arch_get_unmapped_area() function of the arch/x86/kernel/sys_x86_64.c contains an optimization for AMD Bulldozer processors. However, the alignment management truncates the number of used random bits.

An attacker can therefore use a weakness of ASLR of the Linux kernel on AMD Bulldozer processors, in order to more easily guess a memory address.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2014-9710

Linux kernel: bypassing ACLs on btrfs

Synthesis of the vulnerability

A local attacker can repeatedly access to a btrfs filesystem on the Linux kernel, in order to bypass its ACLs.
Impacted products: Linux, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading, data creation/edition, data deletion.
Provenance: user shell.
Creation date: 24/03/2015.
Identifiers: CERTFR-2015-AVI-236, CERTFR-2015-AVI-283, CVE-2014-9710, SUSE-SU-2015:1224-1, USN-2615-1, USN-2616-1, USN-2662-1, USN-2663-1, VIGILANCE-VUL-16452.

Description of the vulnerability

The btrfs filesystem is supported since Linux kernel version 2.6.29 (CONFIG_BTRFS_FS).

Extended attributes (xattr) store ACLs. However, when an attribute is changed, there is a time interval when the xattr are empty, which means there is no ACLs.

A local attacker can therefore repeatedly access to a btrfs filesystem on the Linux kernel, in order to bypass its ACLs.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-2686

Linux kernel: read-write access via sys_sendto/sys_recvfrom

Synthesis of the vulnerability

A local attacker can bypass access restrictions of sys_sendto/sys_recvfrom of the Linux kernel, in order to read or alter kernel memory data.
Impacted products: Linux.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, data reading, data creation/edition, data deletion.
Provenance: user shell.
Creation date: 24/03/2015.
Identifiers: CVE-2015-2686, VIGILANCE-VUL-16451.

Description of the vulnerability

The Linux kernel implements the sendto() and recvfrom() system calls to exchange data with a socket.

However, since version 3.19, these functions do not check if memory addresses are accessible by the user.

A local attacker can therefore bypass access restrictions of sys_sendto/sys_recvfrom of the Linux kernel, in order to read or alter kernel memory data.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-2666

Linux kernel: buffer overflow of Intel microcode

Synthesis of the vulnerability

An attacker can generate a buffer overflow with a malicious Intel microcode, in order to trigger a denial of service of the Linux kernel, and possibly to execute code.
Impacted products: Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: privileged shell.
Creation date: 18/03/2015.
Identifiers: CERTFR-2015-AVI-198, CERTFR-2015-AVI-328, CVE-2015-2666, FEDORA-2015-4457, FEDORA-2015-5024, openSUSE-SU-2016:0301-1, RHSA-2015:1534-01, RHSA-2015:1565-01, SUSE-SU-2015:1071-1, USN-2587-1, USN-2589-1, USN-2590-1, VIGILANCE-VUL-16414.

Description of the vulnerability

Intel processors use a microcode which converts assembler instructions to electronic logic.

However, if the size of data is greater than the size of the storage array, an overflow occurs in the get_matching_model_microcode() function of the arch/x86/kernel/cpu/microcode/intel_early.c file.

It can be noted that this microcode is provided by Intel or a Linux distribution editor, or by a local administrator.

An attacker can therefore generate a buffer overflow with a malicious Intel microcode, in order to trigger a denial of service of the Linux kernel, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2015-2672

Linux kernel: denial of service via xsaves/xrstors

Synthesis of the vulnerability

An attacker can use xsaves/xrstors on the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, Linux.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 18/03/2015.
Identifiers: CVE-2015-2672, FEDORA-2015-5024, VIGILANCE-VUL-16413.

Description of the vulnerability

The XSAVES instruction saves the state of the Processor Extended States Supervisor. The XRSTORS instruction restores it.

However, a local attacker can use these instructions to trigger a fatal error in the kernel, due to an invalid label name.

An attacker can therefore use xsaves/xrstors on the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2014-8173

Linux kernel: NULL pointer dereference via pmd_none_or_trans_huge_or_clear_bad

Synthesis of the vulnerability

A local attacker can force a NULL pointer to be dereferenced in the pmd_none_or_trans_huge_or_clear_bad() function of the Linux kernel, in order to trigger a denial of service.
Impacted products: Linux, openSUSE, RHEL.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: user shell.
Creation date: 17/03/2015.
Identifiers: CERTFR-2015-AVI-093, CVE-2014-8173, openSUSE-SU-2015:0714-1, RHSA-2015:0290-01, RHSA-2015:0694-01, VIGILANCE-VUL-16398.

Description of the vulnerability

The madvise() system call is used by developers to indicate to the kernel how to manage the memory.

The MADV_WILLNEED parameter indicates that the program will soon need to access to the memory. However, the Page Middle Directory pmd_none_or_trans_huge_or_clear_bad() function does not check if a pointer is NULL, before using it.

A local attacker can therefore force a NULL pointer to be dereferenced in the pmd_none_or_trans_huge_or_clear_bad() function of the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Noyau Linux: