#VU22938 Buffer overflow in Block IO Tracing - CVE-2018-10689
Published: November 23, 2019
Vulnerability identifier: #VU22938
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-10689
CWE-ID: CWE-119
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Block IO Tracing
Block IO Tracing
Software vendor:
Jens Axboe
Jens Axboe
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the dev_map_read() function in btt/devmap.c in blktrace. A local user can create a specially crafted file, pass it to he application that is using the vulnerable component (e.g. btt program), trigger memory corruption and execute arbitrary code with elevated privileges.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
External links
- http://git.kernel.dk/?p=blktrace.git;a=log;h=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
- https://access.redhat.com/errata/RHSA-2019:2162
- https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
- https://www.spinics.net/lists/linux-btrace/msg00847.html