SSD Advisory – Infiniband Linux Driver UAF

Vulnerability Summary
A bug in the threads synchronization of Infiniband Driver can cause an Use After Free. A struct that is allocated and free’d by a thread, is accessible through a second thread. If the second thread is calling the function “idr_find” before the struct was free’d by the first thread, then he can still use the struct after it was free’d.

Vendor Response
“Infiniband: fix a possible use-after-free bug has been added to the 4.17-stable tree. Patches currently in stable-queue are queue-4.17/infiniband-fix-a-possible-use-after-free-bug.patch”

CVE
CVE-2018-14737

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – Infiniband Linux Driver UAF

SSD Advisory – Linux AF_LLC Double Free

Vulnerability Summary
A use after free vulnerability in AF_LLC allows local attackers to control the flow of code that the kernel executes, allowing them to cause it to run arbitrary code and gain elevated privileges.

Vendor Response
The vulnerability was reported to the Kernel Security, which asked us to contact the netdev team. A patch was provided by the netdev team, on the 27th of March, and was later integrated into the main code of Linux (we are not certain when).

Attempts to recontact the netdev and understand more on the timeline, went unanswered.

We know that the patch has been introduced as part of:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.17-rc2&id=b85ab56c3f81c5a24b5a5213374f549df06430da

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
The oldest known version to be affected Linux version 2.6.39.4, the patch has been introduced as part of 4.17-rc2.
Continue reading SSD Advisory – Linux AF_LLC Double Free

SSD安全公告-Linux内核XFRM权限提升漏洞

漏洞概要
以下安全公告描述了在Linux内核中发现的一个UAF漏洞,成功利用此漏洞的攻击者可以提升权限。漏洞存在于Netlink 套接字子系统 – XFRM.

Netlink用于在内核和用户空间进程之间传输信息。 它由用户空间进程的标准基于套接字的接口和内核模块的内部内核API组成。

漏洞提交者

一位独立的安全研究员Mohamed Ghannam向Beyond Security的SSD报告了该漏洞

厂商响应

该漏洞已在补丁1137b5e中被修复(“ipsec:修复中止xfrm策略转储崩溃”)

CVE: CVE-2017-16939

Continue reading SSD安全公告-Linux内核XFRM权限提升漏洞

SSD安全公告–Linux内核AF_PACKET 释放后重用漏洞

漏洞概要

以下安全公告描述了在Linux内核的AF_PACKET中存在的一个UAF漏洞,成功利用该漏洞可能导致权限提升。

AF_PACKET套接字”允许用户在设备驱动层发送或者接收数据包”。例如,用户可以在物理层之上实现自己的协议,或者嗅探包含以太网或更高层协议头的数据包。

漏洞提交者

一名独立的安全研究人员发现并向 Beyond Security 的 SSD 报告了该漏洞。

厂商响应

更新一

CVE:CVE-2017-15649

“该漏洞很可能已经通过以下方式修复了:

packet: 重新绑定fanout hook时保持绑定锁定 – http://patchwork.ozlabs.org/patch/813945/

与此相关,但未合并的是

packet:在packet_do_bind函数中,使用bind_lock测试fanout – http://patchwork.ozlabs.org/patch/818726/

我们验证了在v4.14-rc2上不会触发该漏洞,但在第一次commit(008ba2a13f2d)上测试成功。”

Continue reading SSD安全公告–Linux内核AF_PACKET 释放后重用漏洞