The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Noyau Linux

computer vulnerability bulletin CVE-2015-4176

Linux kernel: read-write access via MNT_DETACH

Synthesis of the vulnerability

A local attacker can bypass access restrictions via MNT_DETACH on the Linux kernel, in order to read or alter files, bypassing a User Namespace.
Impacted products: Linux.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: user account.
Creation date: 04/06/2015.
Identifiers: CVE-2015-4176, VIGILANCE-VUL-17068.

Description of the vulnerability

The User Namespace (CONFIG_USER_NS) feature provides jailed environments.

When the user calls umount(MNT_DETACH), the __detach_mounts() function of the fs/namespace.c file calls umount_tree() which does not always disconnect the mount point on the file system.

A local attacker can therefore bypass access restrictions via MNT_DETACH on the Linux kernel, in order to read or alter files, bypassing a User Namespace.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-9731

Linux kernel: information disclosure via UDF

Synthesis of the vulnerability

A local attacker can mount a malicious UDF filesystem on Linux, in order to obtain sensitive information from the kernel memory.
Impacted products: Android OS, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: data reading.
Provenance: privileged console.
Creation date: 03/06/2015.
Identifiers: CERTFR-2015-AVI-357, CVE-2014-9731, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, SUSE-SU-2015:1224-1, SUSE-SU-2015:1324-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, VIGILANCE-VUL-17056.

Description of the vulnerability

The Linux kernel supports the UDF filesystem, which is used for DVD.

UDF systems support symbolic links. However, if the name is malformed, the fs/udf/symlink.c file does not detect the end of the filename, and the readlink() function thus returns the content of the kernel memory to the user.

A local attacker can therefore mount a malicious UDF filesystem on Linux, in order to obtain sensitive information from the kernel memory.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-9728 CVE-2014-9729 CVE-2014-9730

Linux kernel: multiple buffer overflow of UDF

Synthesis of the vulnerability

An attacker can generate a buffer overflow in the function __udf_adinicb_readpage from the UDF module of the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Impacted products: BIG-IP Hardware, TMOS, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server, denial of service on service, denial of service on client.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 3.
Creation date: 03/06/2015.
Identifiers: CERTFR-2015-AVI-357, CVE-2014-9728, CVE-2014-9729, CVE-2014-9730, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, SOL17447, SUSE-SU-2015:1224-1, SUSE-SU-2015:1324-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, VIGILANCE-VUL-17043.

Description of the vulnerability

The UDF filesystem is used for DVD.

The module does not check the validity of the size field for the whole i-node. [severity:1/4; CVE-2014-9729]

The module does not rightly check the constraints applicable to the paths symbol links point to. [severity:1/4; CVE-2014-9730]

The module does not check whether the length of symbolic link are smaller than the maximum length supported by the kernel. [severity:1/4]

An attacker can therefore generate a buffer overflow in the function __udf_adinicb_readpage from the UDF module of the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-4167

Linux kernel: denial of service via UDF

Synthesis of the vulnerability

An attacker can create an ill formed UDF filesystem image and make the Linux kernel mount then read it, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 03/06/2015.
Identifiers: CERTFR-2015-AVI-254, CERTFR-2015-AVI-283, CERTFR-2015-AVI-357, CVE-2015-4167, DSA-3313-1, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, SOL17321, SUSE-SU-2015:1324-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, USN-2631-1, USN-2632-1, USN-2662-1, USN-2663-1, USN-2664-1, USN-2666-1, VIGILANCE-VUL-17041.

Description of the vulnerability

The UDF filesystem is used for DVD.

However, the UDF module does not check all the length fields included in the file descriptors (aka i-node). When the kernel notices that it follows an invalid address that seems valid according to the length fields, it halts and notifies a bug.

An attacker can therefore create an ill-formed UDF filesystem image and make the Linux kernel mount then read it, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-1805

Linux kernel: memory corruption via pipe_iov_copy

Synthesis of the vulnerability

A local attacker can generate a memory corruption in pipe_iov_copy functions of the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Android OS, NSM Central Manager, NSMXpress, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server.
Provenance: user shell.
Creation date: 03/06/2015.
Identifiers: 1202855, CERTFR-2015-AVI-243, CERTFR-2015-AVI-261, CERTFR-2015-AVI-263, CERTFR-2015-AVI-318, CVE-2015-1805, DSA-3290-1, JSA10853, RHSA-2015:1042-01, RHSA-2015:1081-01, RHSA-2015:1082-01, RHSA-2015:1120-01, RHSA-2015:1137-01, RHSA-2015:1138-01, RHSA-2015:1139-01, RHSA-2015:1190-01, RHSA-2015:1199-01, RHSA-2015:1211-01, RHSA-2016:0103-01, SOL17458, SOL17462, SUSE-SU-2015:1224-1, SUSE-SU-2015:1324-1, SUSE-SU-2015:1478-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, USN-2678-1, USN-2679-1, USN-2680-1, USN-2681-1, VIGILANCE-VUL-17038.

Description of the vulnerability

The Linux kernel implements Unix pipes using the virtual PipeFS filesystem (fs/pipe.c).

The pipe reading/writing functions use pipe_iov_copy_to_user() and pipe_iov_copy_from_user() from fs/pipe.c. However, if the iovec size is incoherent, these functions perform copies on invalid memory areas.

A local attacker can therefore generate a memory corruption in pipe_iov_copy functions of the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-4177 CVE-2015-4178

Linux kernel: NULL pointer dereference via User Namespace Mount

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced in User Namespace Mount of the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, Linux.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 01/06/2015.
Identifiers: CVE-2015-4177, CVE-2015-4178, FEDORA-2015-9127, FEDORA-2015-9227, VIGILANCE-VUL-17022.

Description of the vulnerability

The User Namespace (CONFIG_USER_NS) feature provides jailed environments.

However, when the used triggers an unmount error, the fs/namespace.c file does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced in User Namespace Mount of the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-4170

Linux kernel: denial of service via ldsem_down_read

Synthesis of the vulnerability

A local attacker can trigger a deadlock in the ldsem_down_read() function of the Linux kernel, in order to trigger a denial of service.
Impacted products: Linux, RHEL.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: user account.
Creation date: 26/05/2015.
Identifiers: CERTFR-2015-AVI-498, CVE-2015-4170, RHSA-2015:2152-02, RHSA-2015:2411-01, RHSA-2016:1395-01, VIGILANCE-VUL-16980.

Description of the vulnerability

The drivers/tty/tty_ldsem.c file of the Linux kernel implements locks for terminals (tty).

The ldsem_down_read() function is used when a terminal is shut down. However, the ldsem_cmpxchg() function uses the bad counter, so a deadlock occurs.

A local attacker can therefore trigger a deadlock in the ldsem_down_read() function of the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-4001 CVE-2015-4002 CVE-2015-4003

Linux kernel: four vulnerabilities of ozwpan

Synthesis of the vulnerability

An attacker can use several vulnerabilities of ozwpan of the Linux kernel.
Impacted products: Fedora, Linux, openSUSE, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: radio connection.
Number of vulnerabilities in this bulletin: 4.
Creation date: 18/05/2015.
Identifiers: CERTFR-2015-AVI-269, CERTFR-2015-AVI-283, CERTFR-2015-AVI-357, CERTFR-2016-AVI-186, CERTFR-2016-AVI-199, CVE-2015-4001, CVE-2015-4002, CVE-2015-4003, CVE-2015-4004, FEDORA-2015-10677, FEDORA-2015-10678, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, USN-2662-1, USN-2663-1, USN-2664-1, USN-2665-1, USN-2666-1, USN-2667-1, USN-2989-1, USN-2998-1, USN-3000-1, USN-3001-1, USN-3002-1, USN-3003-1, USN-3004-1, VIGILANCE-VUL-16911.

Description of the vulnerability

Several vulnerabilities were announced in the Linux kernel.

An attacker can generate an integer overflow in oz_hcd_get_desc_cnf, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2015-4001]

An attacker can generate a buffer overflow in oz_usb_handle_ep_data, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2015-4002]

An attacker can trigger a division by zero in oz_usb_handle_ep_data(), in order to trigger a denial of service. [severity:2/4; CVE-2015-4003]

An attacker can send too short packets in order to receive data from unrelated memory area. [severity:2/4; CVE-2015-4004]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-3636

Linux kernel: use after free via ping_unhash

Synthesis of the vulnerability

A local attacker can force the usage of a freed memory area in ping_unhash() of the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Android OS, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on server.
Provenance: privileged shell.
Creation date: 04/05/2015.
Identifiers: CERTFR-2015-AVI-254, CERTFR-2015-AVI-261, CERTFR-2015-AVI-328, CERTFR-2015-AVI-357, CVE-2015-3636, DSA-3290-1, FEDORA-2015-7736, FEDORA-2015-8518, K17246, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, RHSA-2015:1221-01, RHSA-2015:1534-01, RHSA-2015:1564-01, RHSA-2015:1565-01, RHSA-2015:1583-01, RHSA-2015:1643-01, SOL17246, SUSE-SU-2015:1071-1, SUSE-SU-2015:1224-1, SUSE-SU-2015:1376-1, SUSE-SU-2015:1478-1, USN-2631-1, USN-2632-1, USN-2633-1, USN-2634-1, USN-2635-1, USN-2636-1, USN-2637-1, USN-2638-1, VIGILANCE-VUL-16801.

Description of the vulnerability

The Linux kernel supports sockets of type ping:
  socket(PF_INET, SOCK_DGRAM, IPPROTO_ICMP)
The access to these sockets is usually restricted.

However, if the user disconnects, and the connects the socket, the ping_unhash() function frees a memory area before reusing it.

A local attacker can therefore force the usage of a freed memory area in ping_unhash() of the Linux kernel, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2015-3339

Linux kernel: privilege escalation via chown/execve

Synthesis of the vulnerability

A local attacker can use an execve() during the chown() operation by the Linux kernel, in order to escalate his privileges.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 20/04/2015.
Identifiers: CERTFR-2015-AVI-198, CERTFR-2015-AVI-236, CERTFR-2015-AVI-357, CERTFR-2015-AVI-498, CVE-2015-3339, DSA-3237-1, FEDORA-2015-7736, FEDORA-2015-8518, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, openSUSE-SU-2016:2649-1, RHSA-2015:1272-01, RHSA-2015:2152-02, RHSA-2015:2411-01, SOL95345942, SUSE-SU-2015:1071-1, SUSE-SU-2015:1376-1, SUSE-SU-2016:2074-1, USN-2583-1, USN-2584-1, USN-2596-1, USN-2597-1, USN-2597-2, USN-2598-1, USN-2598-2, USN-2599-1, USN-2599-2, USN-2600-1, USN-2600-2, USN-2601-1, USN-2612-1, VIGILANCE-VUL-16653.

Description of the vulnerability

The chown() system call changes the owner of a file. If this file had the suid/sgid bit, then chown() removes it, using an inode mutex to temporarily lock the access during the operation.

However, the execve() system call does not use this mutex. So, there is a time frame when the file is still suid/sgid, and is owned by the new user.

A local attacker can therefore use an execve() during the chown() operation by the Linux kernel, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Noyau Linux: