OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0007) (Spectre)

The remote OracleVM system is missing necessary patches to address critical security updates : - x86/ibrs: Remove 'ibrsdump' and remove the prdebug Konrad Rzeszutek Wilk Orabug: 27350825 - kABI: Revert kABI: Make the bootcpudata look normal Konrad Rzeszutek Wilk CVE-2017-5715 - userns: prevent...

Exploiting the Linux kernel via packet sockets

Guest blog post, posted by Andrey Konovalov Introduction Lately I’ve been spending some time fuzzing network-related Linux kernel interfaces with syzkaller. Besides the recently discovered vulnerability in DCCP sockets, I also found another one, this time in packet sockets. This post describes ho...

Ubuntu PT Chown Privilege Escalation

Source: http://www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNamespace/ Introduction Problem description: With Ubuntu Wily and earlier, /usr/lib/ptchown was used to change ownership of slave pts devices in /dev/pts to the same uid holding the master file descriptor for the slave...

Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr Setgid Privilege Escalation Vulnerability

Exploit for linux platform in category local exploits Source: http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/ Introduction Problem description: Linux user namespace allows to mount file systems as normal user, including the overlayfs. As many of those...

Ubuntu 14.0415.10 - User Namespace Overlayfs Xattr SetGID Privilege Escalation

Ubuntu 14.0415.10 - User Namespace Overlayfs Xattr SetGID Privilege Escalation Source: http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/ Introduction Problem description: Linux user namespace allows to mount file systems as normal user, including the...

Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr SetGID Privilege Escalation

Source: http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/ Introduction Problem description: Linux user namespace allows to mount file systems as normal user, including the overlayfs. As many of those features were not designed with namespaces in mind, this...

kernel: compat IPT_SO_SET_REPLACE setsockopt

A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled wit...

kernel: compat IPT_SO_SET_REPLACE setsockopt

A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled wit...

CVE-2016-4998

The IPTSOSETREPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service out-of-bounds read or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted...

Linux kernel arbitrary file read vulnerability

The Linux kernel is the kernel used by the operating system Linux, released by the Linux Foundation in the United States. An arbitrary file read vulnerability exists in the fs/namespace.c file in versions of Linux kernel prior to 4.0.2, which stems from a program that does not properly support...

Linux kernel denial of service vulnerability (CNVD-2016-02796)

The Linux kernel is the kernel used by the operating system Linux, released by the Linux Foundation in the United States. A denial of service vulnerability exists in the 'collectmounts' function in the fs/namespace.c file in versions of Linux kernel prior to 4.0.5, which stems from a program's...

Linux kernel fs_pin implementation denial of service vulnerability

The Linux kernel is the kernel used by the operating system Linux, released by the Linux Foundation in the United States. A denial of service vulnerability exists in the fspin implementation of Linux kernel versions prior to 4.0.5, which arises from the program's failure to ensure internal...

CVE-2015-4178

The fspin implementation in the Linux kernel before 4.0.5 does not ensure the internal consistency of a certain list data structure, which allows local users to cause a denial of service system crash by leveraging user-namespace root access for an MNTDETACH umount2 system call, related to...

DEBIAN-CVE-2014-9717

fs/namespace.c in the Linux kernel before 4.0.2 processes MNTDETACH umount2 system calls without verifying that the MNTLOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user...

CVE-2014-9717

fs/namespace.c in the Linux kernel before 4.0.2 processes MNTDETACH umount2 system calls without verifying that the MNTLOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user...

CVE-2014-9717

fs/namespace.c in the Linux kernel before 4.0.2 processes MNTDETACH umount2 system calls without verifying that the MNTLOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user...

CVE-2015-4176

fs/namespace.c in the Linux kernel before 4.0.2 does not properly support mount connectivity, which allows local users to read arbitrary files by leveraging user-namespace root access for deletion of a file or directory...

Arbitrary file deletion

fs/namespace.c in the Linux kernel before 4.0.2 does not properly support mount connectivity, which allows local users to read arbitrary files by leveraging user-namespace root access for deletion of a file or directory...

Design/Logic Flaw

The collectmounts function in fs/namespace.c in the Linux kernel before 4.0.5 does not properly consider that it may execute after a path has been unmounted, which allows local users to cause a denial of service system crash by leveraging user-namespace root access for an MNTDETACH umount2 system...

Design/Logic Flaw

The fspin implementation in the Linux kernel before 4.0.5 does not ensure the internal consistency of a certain list data structure, which allows local users to cause a denial of service system crash by leveraging user-namespace root access for an MNTDETACH umount2 system call, related to...