SB2018053104 - Multiple vulnerabilities in Linux Kernel
Published: May 31, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2018-11508)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists in the compat_get_timex function, as defined in the kernel/compat.c source code file due to an uninitialized struct field in compat adjtimex system calls. A local attacker can send a compat adjtimex system call that submits malicious input and access sensitive kernel memory content, which could be used to conduct further attacks.
2) Stack-based buffer overflow (CVE-ID: CVE-2018-11506)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause DoS condition on the target system.
The vulnerability exists in the sr_do_ioctl function, as defined in the drivers/scsi/sr_ioctl.c source code file due to differing buffer sizes in the CDROM layer and the SCSI layer. A local attacker can submit specially crafted input, trigger a stack-based overflow and cause the system to crash.
3) Memory corruption (CVE-ID: CVE-2018-11412)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to gain elevated privileges or cause DoS condition on the target system.
The vulnerability exists due to improper memory operations performed by the ext4_read_inline_data() function, as defined in the fs/ext4/inline.c source code file. A local attacker can mount a customized ext4 filesystem that stores the system.data extended attribute value in a dedicated inode, supply malicious input containing an untrusted length value, trigger memory corruption and gain elevated privileges or cause a DoS condition.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a0b98734479aa5b3c671d...
- https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.9
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f7068114d45ec55996b904...
- https://bugzilla.kernel.org/show_bug.cgi?id=199803