Permissions, Privileges, and Access Controls in Linux kernel - CVE-2014-8989
Published: November 30, 2014 / Updated: August 9, 2020
Vulnerability identifier: #VU41049
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-8989
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a "negative groups" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c.
How to mitigate CVE-2014-8989
Install update from vendor's website.
Sources
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147864.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147973.html
- http://thread.gmane.org/gmane.linux.man/7385/
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:058
- http://www.openwall.com/lists/oss-security/2014/11/20/4
- http://www.securityfocus.com/bid/71154
- http://www.ubuntu.com/usn/USN-2515-1
- http://www.ubuntu.com/usn/USN-2516-1
- http://www.ubuntu.com/usn/USN-2517-1
- http://www.ubuntu.com/usn/USN-2518-1