oss-sec mailing list archives
Linux CVE-2016-4997 (local privilege escalation) and CVE-2016-4998 (out of bounds memory access)
From: Jesse Hertz <Jesse.Hertz@nccgroup.trust>
Date: Fri, 24 Jun 2016 18:53:53 +0000
Hi All, As part of a kernel fuzzing project by myself and my colleague Tim Newsham, we are disclosing two vulnerabilities which have been assigned CVEs. Full details of the fuzzing project (with analysis of the vulnerabilities) will be released next week. These issues are fixed in the following commits http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d04 <http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d04> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb088 <http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb088> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968 <http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968> And have now been integrated into stable kernel releases: 3.14.73, 4.4.14, and 4.6.3. Theses issues occurs in the same codepaths as, but are distinct from, a similar vulnerability: CVE-2016-3134 (https://bugs.chromium.org/p/project-zero/issues/detail?id=758 <https://bugs.chromium.org/p/project-zero/issues/detail?id=758>). ######### CVE-2016-4997: Corrupted offset allows for arbitrary decrements in compat IPT_SO_SET_REPLACE setsockopt Risk: High Impact: Kernel memory corruption, leading to elevation of privileges or kernel code execution. This occurs in a compat_setsockopt() call that is normally restricted to root, however, Linux 3/4 kernels that support user and network namespaces can allow an unprivileged user to trigger this functionality. This is exploitable from inside a container. ########## CVE-2016-4998: Out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt Risk: Medium Impact: Out of bounds heap memory access, leading to a Denial of Service (or possibly heap disclosure or further impact). This occurs in a setsockopt() call that is normally restricted to root, however, Linux 3/4 kernels that support user and network namespaces can allow an unprivileged user to trigger this functionality. This is exploitable from inside a container. ########## Best, -jh
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- Linux CVE-2016-4997 (local privilege escalation) and CVE-2016-4998 (out of bounds memory access) Jesse Hertz (Jun 24)