[email protected]CVE-2018-1124

HistoryMay 23, 2018 - 1:29 p.m.

CVE-2018-1124

2018-05-2313:29:00

CWE-787

CWE-190

[email protected]

web.nvd.nist.gov

251

cve-2018-1124

procps-ng

integer overflow

heap corruption

privilege escalation

procfs

arbitrary code execution

nvd

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

16.1%

JSON

procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corruption in file2strvec function. This allows a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users.

VendorProductVersionCPE
procps-ng_projectprocps-ng*cpe:2.3:a:procps-ng_project:procps-ng:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
procps-ng_project	procps-ng	*	cpe:2.3:a:procps-ng_project:procps-ng::::::::

References

lists.opensuse.org/opensuse-security-announce/2019-10/msg00058.html

lists.opensuse.org/opensuse-security-announce/2019-10/msg00059.html

seclists.org/oss-sec/2018/q2/122

www.securityfocus.com/bid/104214

www.securitytracker.com/id/1041057

access.redhat.com/errata/RHSA-2018:1700

access.redhat.com/errata/RHSA-2018:1777

access.redhat.com/errata/RHSA-2018:1820

access.redhat.com/errata/RHSA-2018:2267

access.redhat.com/errata/RHSA-2018:2268

access.redhat.com/errata/RHSA-2019:1944

access.redhat.com/errata/RHSA-2019:2401

bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1124

help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0

kc.mcafee.com/corporate/index?page=content&id=SB10241

lists.debian.org/debian-lts-announce/2018/05/msg00021.html

security.gentoo.org/glsa/201805-14

usn.ubuntu.com/3658-1/

usn.ubuntu.com/3658-2/

www.debian.org/security/2018/dsa-4208

www.exploit-db.com/exploits/44806/

www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

Social References

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

16.1%

JSON

CVE-2018-1124

References

Social References

Related