Vulnerability CVE-2018-1120


Published: 2018-06-20

Description:
A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks).

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Procps-ng Multiple Vulnerabilities
Qualys Corporati...
31.05.2018

Type:

CWE-119

(Improper Restriction of Operations within the Bounds of a Memory Buffer)

Vendor: Debian
Product: Debian linux 
Version: 8.0;
Vendor: Redhat
Product: Enterprise linux desktop 
Version: 7.0;
Product: Enterprise linux workstation 
Version: 7.0;
Product: Enterprise linux server 
Version: 7.0;
Product: Enterprise linux 
Version: 7.0; 6.0;
Vendor: Linux
Product: Linux kernel 
Version:
4.9.99
4.9.98
4.9.97
4.9.96
4.9.95
4.9.94
4.9.93
4.9.92
4.9.91
4.9.90
4.9.9
4.9.89
4.9.88
4.9.87
4.9.86
4.9.85
4.9.84
4.9.83
4.9.82
4.9.81
4.9.80
4.9.8
4.9.79
4.9.78
4.9.77
4.9.76
4.9.75
4.9.74
4.9.73
4.9.72
4.9.71
4.9.70
4.9.7
4.9.69
4.9.68
4.9.67
4.9.66
4.9.65
4.9.64
4.9.63
4.9.62
4.9.61
4.9.60
4.9.6
4.9.59
4.9.58
4.9.57
4.9.56
4.9.55
4.9.54
4.9.53
4.9.52
4.9.51
4.9.50
4.9.5
4.9.49
4.9.48
4.9.47
4.9.46
4.9.45
4.9.44
4.9.43
4.9.42
4.9.41
4.9.40
4.9.4
4.9.39
4.9.38
4.9.37
4.9.36
4.9.35
4.9.34
4.9.33
4.9.32
4.9.31
4.9.30
4.9.3
4.9.29
4.9.28
4.9.27
4.9.26
4.9.25
4.9.24
4.9.23
4.9.22
4.9.21
4.9.20
4.9.2
4.9.19
4.9.18
4.9.17
4.9.16
4.9.15
4.9.144
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://seclists.org/oss-sec/2018/q2/122
http://www.securityfocus.com/bid/104229
https://access.redhat.com/errata/RHSA-2018:2948
https://access.redhat.com/errata/RHSA-2018:3083
https://access.redhat.com/errata/RHSA-2018:3096
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1120
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7f7ccc2ccc2e70c6054685f5e3522efa81556830
https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html
https://security.gentoo.org/glsa/201805-14
https://usn.ubuntu.com/3752-1/
https://usn.ubuntu.com/3752-2/
https://usn.ubuntu.com/3752-3/
https://usn.ubuntu.com/3910-1/
https://usn.ubuntu.com/3910-2/
https://www.exploit-db.com/exploits/44806/

Related CVE
CVE-2019-10639
The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the...
CVE-2019-10638
In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to ...
CVE-2019-13233
In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation.
CVE-2019-12984
A NULL pointer dereference vulnerability in the function nfc_genl_deactivate_target() in net/nfc/netlink.c in the Linux kernel before 5.1.13 can be triggered by a malicious user-mode program that omits certain NFC attributes, leading to denial of ser...
CVE-2019-12817
arch/powerpc/mm/mmu_context_book3s64.c in the Linux kernel before 5.1.15 for powerpc has a bug where unrelated processes may be able to read/write to one another's virtual memory under certain conditions via an mmap above 512 TB. Only a subset of pow...
CVE-2019-3896
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
CVE-2019-11479
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial ...
CVE-2019-11478
Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denia...

Copyright 2019, cxsecurity.com

 

Back to Top