Vulnerability CVE-2014-9322

Vulnerability CVE-2014-9322

Published: 2014-12-17

Description:

arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.

See advisories in our WLB2 database:

	Topic	Author	Date
High	Linux Kernel 3.2 multiple x86_64 vulnerabilities	Andy Lutomirski	16.12.2014
High	Linux Kernel IRET Instruction #SS Fault Handling Crash PoC	Emeric Nasi	05.03.2015
High	Linux Kernel BadIRET Local Privilege Escalation	Ren Kimura	02.03.2018

Type:

CWE-17

(Code)

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score	Impact Subscore	Exploitability Subscore
7.2/10	10/10	3.9/10

Exploit range	Attack complexity	Authentication
Local	Low	No required
Confidentiality impact	Integrity impact	Availability impact
Complete	Complete	Complete

Affected software
Linux -> Linux kernel
Google -> Android

References:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6f442be2fb22be02cafa606f1769fa1e6f894441

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.html

http://marc.info/?l=bugtraq&m=142722450701342&w=2

http://marc.info/?l=bugtraq&m=142722544401658&w=2

http://rhn.redhat.com/errata/RHSA-2014-1998.html

http://rhn.redhat.com/errata/RHSA-2014-2008.html

http://rhn.redhat.com/errata/RHSA-2014-2028.html

http://rhn.redhat.com/errata/RHSA-2014-2031.html

http://rhn.redhat.com/errata/RHSA-2015-0009.html

http://source.android.com/security/bulletin/2016-04-02.html

http://www.exploit-db.com/exploits/36266

http://www.openwall.com/lists/oss-security/2014/12/15/6

http://www.ubuntu.com/usn/USN-2491-1

http://www.zerodayinitiative.com/advisories/ZDI-16-170

https://bugzilla.redhat.com/show_bug.cgi?id=1172806

https://github.com/torvalds/linux/commit/6f442be2fb22be02cafa606f1769fa1e6f894441

https://help.joyent.com/entries/98788667-Security-Advisory-ZDI-CAN-3263-ZDI-CAN-3284-and-ZDI-CAN-3364-Vulnerabilities

https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.17.5

Vulnerability CVE-2014-9322

arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.

See advisories in our WLB2 database:

High

Linux Kernel 3.2 multiple x86_64 vulnerabilities

High

Linux Kernel IRET Instruction #SS Fault Handling Crash PoC

High

Linux Kernel BadIRET Local Privilege Escalation

CWE-17

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

7.2/10

10/10

3.9/10

Local

Low

No required

Complete

Complete

Complete

Affected software

References: