The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Noyau Linux

computer weakness note 18032

Linux kernel: information disclosure via openvswitch

Synthesis of the vulnerability

A local attacker can read a memory fragment of the Linux kernel via openvswitch, in order to obtain sensitive information.
Severity: 1/4.
Creation date: 05/10/2015.
Identifiers: VIGILANCE-VUL-18032.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Linux kernel implements Open vSwitch, a virtual switch.

However, the ovs_flow_alloc() function of the net/openvswitch/flow_table.c file does not initialize a memory area before returning it to the user.

A local attacker can therefore read a memory fragment of the Linux kernel via openvswitch, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

cybersecurity threat CVE-2015-7613

Linux kernel: privilege escalation via IPC

Synthesis of the vulnerability

A local attacker can manipulate IPC on the Linux kernel, in order to escalate his privileges.
Severity: 2/4.
Creation date: 02/10/2015.
Identifiers: CERTFR-2015-AVI-419, CERTFR-2015-AVI-430, CERTFR-2015-AVI-498, CVE-2015-7613, DSA-3372-1, FEDORA-2015-d7e074ba30, FEDORA-2015-dcc260f2f2, JSA10853, K90230486, RHSA-2015:2152-02, RHSA-2015:2411-01, RHSA-2015:2587-01, RHSA-2015:2636-01, SB10146, SOL90230486, SUSE-SU-2015:1727-1, SUSE-SU-2015:2084-1, SUSE-SU-2015:2085-1, SUSE-SU-2015:2086-1, SUSE-SU-2015:2087-1, SUSE-SU-2015:2089-1, SUSE-SU-2015:2090-1, SUSE-SU-2015:2091-1, USN-2761-1, USN-2762-1, USN-2763-1, USN-2764-1, USN-2765-1, USN-2792-1, USN-2796-1, VIGILANCE-VUL-18021.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The shmget() system call creates a shared memory segment with IPC_CREAT, so two processes can communicate via IPC.

The newque() function of the ipc/msg.c function of the Linux kernel creates this segment. However, it calls ipc_addid() too soon, so the uid associated to the segment is incorrect.

A local attacker can therefore manipulate IPC on the Linux kernel, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 17999

Linux kernel: memory corruption via cifs_ioctl_clone

Synthesis of the vulnerability

A local attacker can generate a memory corruption in the cifs_ioctl_clone() function of the Linux kernel, in order to run code with kernel privileges.
Severity: 2/4.
Creation date: 30/09/2015.
Identifiers: VIGILANCE-VUL-17999.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Linux kernel can be compiled with CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX. In this case, a CIFS filesystem can be mounted with the option "vers" >= 2.0.

The cifs_ioctl_clone() function implements the BTRFS_IOC_CLONE ioctl, which clones a file on CIFS (the user must has a write access to the destination CIFS file). However, if the source file comes from another filesystem, the cifs_ioctl_clone() function copies a bad structure, and corrupts the memory.

A local attacker can therefore generate a memory corruption in the cifs_ioctl_clone() function of the Linux kernel, in order to run code with kernel privileges.
Full Vigil@nce bulletin... (Free trial)

security vulnerability 17998

Linux kernel: memory disclosure via coredump

Synthesis of the vulnerability

A local attacker can read the coredump a privileged processes, in order to obtain sensitive information.
Severity: 1/4.
Creation date: 30/09/2015.
Identifiers: VIGILANCE-VUL-17998.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

When an error occurs on a process with RLIMIT_CORE different from zero, a coredump occurs, containing an image of its memory.

However, the do_coredump() function of the fs/coredump.c file accepts to store the dump in a pre-existing file (its path can be changed via a link). So, if the attacker has a read access to this file, he can then read the content of this process memory.

A local attacker can therefore read the coredump a privileged processes, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-5257

Linux kernel: NULL pointer dereference in the WhiteHEAT driver

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced in WhiteHEAT of Linux noyau, in order to trigger a denial of service.
Severity: 1/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 23/09/2015.
Identifiers: CERTFR-2015-AVI-430, CVE-2015-5257, CVE-2015-5275-REJECT, DSA-3372-1, FEDORA-2015-d7e074ba30, FEDORA-2015-dcc260f2f2, USN-2792-1, USN-2794-1, USN-2795-1, USN-2796-1, USN-2797-1, USN-2798-1, USN-2799-1, VIGILANCE-VUL-17956.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Linux kernel includes a driver for the WhiteHEAT device from Connect Tech.

However, this module assumes that the number of ports of this device is constant. When the true number of ports is lower than expected, the module dereferences a NULL pointer, which leads to a fatal exception.

An attacker can therefore force a NULL pointer to be dereferenced in the WhiteHEAT driver of the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-6937

Linux kernel: NULL pointer dereference via net/rds/connection.c

Synthesis of the vulnerability

A local attacker can force a NULL pointer to be dereferenced in net/rds/connection.c of the Linux kernel, in order to trigger a denial of service.
Severity: 1/4.
Creation date: 15/09/2015.
Identifiers: CERTFR-2015-AVI-435, CERTFR-2015-AVI-436, CERTFR-2015-AVI-508, CERTFR-2015-AVI-563, CERTFR-2016-AVI-050, cpuoct2018, CVE-2015-6937, DSA-3364-1, FEDORA-2015-16440, FEDORA-2015-16441, openSUSE-SU-2015:2232-1, openSUSE-SU-2016:0301-1, openSUSE-SU-2016:0318-1, openSUSE-SU-2016:2649-1, SUSE-SU-2015:1727-1, SUSE-SU-2015:2108-1, SUSE-SU-2015:2339-1, SUSE-SU-2015:2350-1, SUSE-SU-2016:0354-1, SUSE-SU-2016:2074-1, USN-2773-1, USN-2774-1, USN-2775-1, USN-2776-1, USN-2777-1, USN-2778-1, USN-2779-1, VIGILANCE-VUL-17886.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Linux kernel implements RDS (Reliable Datagram Sockets).

However, if the socket is not bound before sending a message, the net/rds/connection.c file does not check if the "trans" (transport) pointer is NULL, before using it.

A local attacker can therefore force a NULL pointer to be dereferenced in net/rds/connection.c of the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

security bulletin CVE-2015-3214

Linux kernel, QEMU: kernel memory read via i8254

Synthesis of the vulnerability

An attacker who controls a QEMU/KVM guest system can read a register from an emulated i8254 chip, in order to get potentially sensitive information.
Severity: 1/4.
Creation date: 26/06/2015.
Revision date: 31/08/2015.
Identifiers: CVE-2015-3214, DSA-3348-1, FEDORA-2015-13402, FEDORA-2015-13404, RHSA-2015:1507-01, RHSA-2015:1508-01, RHSA-2015:1512-01, SUSE-SU-2016:1560-1, SUSE-SU-2016:1698-1, SUSE-SU-2016:1703-1, SUSE-SU-2016:1785-1, USN-2692-1, VIGILANCE-VUL-17243.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Linux kernel includes code from QEMU for hardware emulation in KVM.

The i8254 component is in charge of clock interrupts. It has write only I/O registers. However, the function pit_ioport_read() defined in "hw/timer/i8254.c" (QEMU) or "arch/x86/kvm/i8254.c" (Linux) does not block read access.

An attacker who controls a QEMU/KVM guest system can therefore read a register from an emulated i8254 chip, in order to get potentially sensitive information.
Full Vigil@nce bulletin... (Free trial)

security note 17742

Linux kernel: denial of service via Nested Task

Synthesis of the vulnerability

A local attacker can use system calls on the Linux kernel with CONFIG_IA32_EMULATION, in order to trigger a denial of service.
Severity: 1/4.
Creation date: 25/08/2015.
Identifiers: CVE-2015-6666-REJECT, FEDORA-2015-15130, FEDORA-2015-15933, VIGILANCE-VUL-17742.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Linux kernel can be compiled with CONFIG_IA32_EMULATION.

An x86 processor uses the NT flag (Nested Task - task invoked by CALL). In an optimization, the Linux kernel does not save/restore flags. However, an emulated SYSENTER instruction changes the state, and the NT flag becomes invalid.

A local attacker can therefore use system calls on the Linux kernel with CONFIG_IA32_EMULATION, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer weakness bulletin CVE-2015-6526

Linux kernel: infinite loop of perf_callchain_user_64

Synthesis of the vulnerability

A local attacker can create a program with a malicious stack layout, in order to generate an infinite loop in the perf_callchain_user_64() function of the Linux kernel.
Severity: 1/4.
Creation date: 18/08/2015.
Identifiers: CERTFR-2015-AVI-417, CERTFR-2015-AVI-498, CVE-2015-6526, openSUSE-SU-2016:2144-1, RHSA-2015:2152-02, USN-2759-1, USN-2760-1, VIGILANCE-VUL-17693.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Linux kernel can be installed on a ppc64 processor.

The perf_callchain_user_64() function of the arch/powerpc/perf/callchain.c file builds the list of functions calls by unwinding the stack, in order to log this information. However, there is no limit to the number of functions.

A local attacker can therefore create a program with a malicious stack layout, in order to generate an infinite loop in the perf_callchain_user_64() function of the Linux kernel.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-6252

Linux kernel: descriptor leak via VHOST_SET_LOG_FD

Synthesis of the vulnerability

A privileged local attacker, accessing to /dev/vhost-net, can create a descriptor leak via VHOST_SET_LOG_FD on the Linux kernel, in order to trigger a denial of service.
Severity: 1/4.
Creation date: 18/08/2015.
Identifiers: CERTFR-2015-AVI-411, CERTFR-2015-AVI-417, CERTFR-2015-AVI-435, CERTFR-2015-AVI-508, CERTFR-2016-AVI-050, CVE-2015-6252, DSA-3364-1, openSUSE-SU-2016:2649-1, SUSE-SU-2015:1727-1, SUSE-SU-2015:2108-1, SUSE-SU-2016:0354-1, SUSE-SU-2016:2074-1, USN-2748-1, USN-2749-1, USN-2751-1, USN-2752-1, USN-2759-1, USN-2760-1, USN-2777-1, VIGILANCE-VUL-17692.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Linux kernel uses the vhost driver for virtualized environments.

The VHOST_SET_LOG_FD defines the file descriptor where errors have to be logged. However, the vhost_dev_ioctl() function does not save its value, and this descriptor is thus never closed.

A privileged local attacker, accessing to /dev/vhost-net, can therefore create a descriptor leak via VHOST_SET_LOG_FD on the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Noyau Linux: