|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Linux kernel: privilege escalation via IPC
Synthesis of the vulnerability
A local attacker can manipulate IPC on the Linux kernel, in order to escalate his privileges.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, NSM Central Manager, NSMXpress, Linux, McAfee NSP, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this bulletin: 2/4.
Consequences of an intrusion: administrator access/rights, privileged access/rights.
Hacker's origin: user shell.
Creation date: 02/10/2015.
Références of this threat: CERTFR-2015-AVI-419, CERTFR-2015-AVI-430, CERTFR-2015-AVI-498, CVE-2015-7613, DSA-3372-1, FEDORA-2015-d7e074ba30, FEDORA-2015-dcc260f2f2, JSA10853, K90230486, RHSA-2015:2152-02, RHSA-2015:2411-01, RHSA-2015:2587-01, RHSA-2015:2636-01, SB10146, SOL90230486, SUSE-SU-2015:1727-1, SUSE-SU-2015:2084-1, SUSE-SU-2015:2085-1, SUSE-SU-2015:2086-1, SUSE-SU-2015:2087-1, SUSE-SU-2015:2089-1, SUSE-SU-2015:2090-1, SUSE-SU-2015:2091-1, USN-2761-1, USN-2762-1, USN-2763-1, USN-2764-1, USN-2765-1, USN-2792-1, USN-2796-1, VIGILANCE-VUL-18021.
Description of the vulnerability
The shmget() system call creates a shared memory segment with IPC_CREAT, so two processes can communicate via IPC.
The newque() function of the ipc/msg.c function of the Linux kernel creates this segment. However, it calls ipc_addid() too soon, so the uid associated to the segment is incorrect.
A local attacker can therefore manipulate IPC on the Linux kernel, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides a computer vulnerability database. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.