Vulnerability CVE-2019-11190


Published: 2019-04-11   Modified: 2019-04-12

Description:
The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat.

Type:

CWE-362

Vendor: Linux
Product: Linux kernel 
Version:
4.7.9
4.7.8
4.7.7
4.7.6
4.7.5
4.7.4
4.7.3
4.7.2
4.7.10
4.7.1
4.7
4.6.7
4.6.6
4.6.5
4.6.4
4.6.3
4.6.2
4.6.1
4.6
4.5.7
4.5.6
4.5.5
4.5.4
4.5.3
4.5.2
4.5.1
4.5.0
4.5
4.4.99
4.4.98
4.4.97
4.4.96
4.4.95
4.4.94
4.4.93
4.4.92
4.4.91
4.4.90
4.4.9
4.4.89
4.4.88
4.4.87
4.4.86
4.4.85
4.4.84
4.4.83
4.4.82
4.4.81
4.4.80
4.4.8
4.4.79
4.4.78
4.4.77
4.4.76
4.4.75
4.4.74
4.4.73
4.4.72
4.4.71
4.4.70
4.4.7
4.4.69
4.4.68
4.4.67
4.4.66
4.4.65
4.4.64
4.4.63
4.4.62
4.4.61
4.4.60
4.4.6
4.4.59
4.4.58
4.4.57
4.4.56
4.4.55
4.4.54
4.4.53
4.4.52
4.4.51
4.4.50
4.4.5
4.4.49
4.4.48
4.4.47
4.4.46
4.4.45
4.4.44
4.4.43
4.4.42
4.4.41
4.4.40
4.4.4
4.4.39
4.4.38
4.4.37
4.4.36
4.4.35
4.4.34
See more versions on NVD

CVSS2 => (AV:L/AC:M/Au:N/C:C/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.7/10
6.9/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
None
None

 References:
http://www.openwall.com/lists/oss-security/2019/04/15/1
http://www.securityfocus.com/bid/107890
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=a5b5352558f6808db0589644ea5401b3e3148a0d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=e1676b55d874a43646e8b2c46d87f2f3e45516ff
https://www.openwall.com/lists/oss-security/2019/04/03/4
https://www.openwall.com/lists/oss-security/2019/04/03/4/1

Related CVE
CVE-2018-7191
In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev nam...
CVE-2019-11833
fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem.
CVE-2019-11884
The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a...
CVE-2019-11815
An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.
CVE-2019-11811
An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and ...
CVE-2019-11810
An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a ...
CVE-2018-20836
An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.
CVE-2019-11683
udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x before 5.0.13 allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have unspecified other impact via UDP packets with a 0 pay...

Copyright 2019, cxsecurity.com

 

Back to Top