The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat.
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00039.html
http://www.openwall.com/lists/oss-security/2019/04/15/1
http://www.securityfocus.com/bid/107890
https://lists.debian.org/debian-lts-announce/2019/05/msg00041.html
https://lists.debian.org/debian-lts-announce/2019/05/msg00042.html
https://usn.ubuntu.com/4008-1/
https://usn.ubuntu.com/4008-2/
https://usn.ubuntu.com/4008-3/
Source: MITRE
Published: 2019-04-12
Updated: 2019-06-07
Type: CWE-362
Base Score: 4.7
Vector: AV:L/AC:M/Au:N/C:C/I:N/A:N
Impact Score: 6.9
Exploitability Score: 3.4
Severity: MEDIUM
Base Score: 4.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Impact Score: 3.6
Exploitability Score: 1
Severity: MEDIUM
OR
ID | Name | Product | Family | Severity |
---|---|---|---|---|
135813 | Scientific Linux Security Update : kernel on SL7.x x86_64 (20200407) | Nessus | Scientific Linux Local Security Checks | high |
135316 | CentOS 7 : kernel (CESA-2020:1016) | Nessus | CentOS Local Security Checks | high |
135080 | RHEL 7 : kernel (RHSA-2020:1016) | Nessus | Red Hat Local Security Checks | high |
135078 | RHEL 7 : kernel-rt (RHSA-2020:1070) | Nessus | Red Hat Local Security Checks | high |
126240 | SUSE SLES12 Security Update : kernel (SUSE-SU-2019:1692-1) (SACK Panic) (SACK Slowness) | Nessus | SuSE Local Security Checks | high |
126121 | Photon OS 1.0: Linux PHSA-2019-1.0-0236 | Nessus | PhotonOS Local Security Checks | high |
126033 | openSUSE Security Update : the Linux Kernel (openSUSE-2019-1570) (SACK Panic) (SACK Slowness) | Nessus | SuSE Local Security Checks | high |
126031 | Slackware 14.2 / current : kernel (SSA:2019-169-01) (SACK Panic) (SACK Slowness) | Nessus | Slackware Local Security Checks | high |
125995 | SUSE SLES12 Security Update : kernel (SUSE-SU-2019:1534-1) (SACK Panic) (SACK Slowness) | Nessus | SuSE Local Security Checks | high |
125994 | SUSE SLES12 Security Update : kernel (SUSE-SU-2019:1533-1) (SACK Panic) (SACK Slowness) | Nessus | SuSE Local Security Checks | high |
125993 | SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2019:1532-1) (SACK Panic) (SACK Slowness) | Nessus | SuSE Local Security Checks | high |
125990 | SUSE SLES12 Security Update : kernel (SUSE-SU-2019:1527-1) (SACK Panic) (SACK Slowness) | Nessus | SuSE Local Security Checks | high |
125768 | Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-4008-3) | Nessus | Ubuntu Local Security Checks | high |
125767 | Ubuntu 16.04 LTS : apparmor update (USN-4008-2) | Nessus | Ubuntu Local Security Checks | high |
125726 | Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-4008-1) | Nessus | Ubuntu Local Security Checks | high |
125615 | OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0022) | Nessus | OracleVM Local Security Checks | medium |
125587 | EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1635) | Nessus | Huawei Local Security Checks | high |
125514 | EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-1587) | Nessus | Huawei Local Security Checks | high |
125513 | EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1586) | Nessus | Huawei Local Security Checks | high |
125478 | Debian DLA-1799-2 : linux security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) | Nessus | Debian Local Security Checks | high |
125238 | Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2019-4646) | Nessus | Oracle Linux Local Security Checks | medium |
125237 | Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4644) | Nessus | Oracle Linux Local Security Checks | high |
125235 | Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4642) | Nessus | Oracle Linux Local Security Checks | medium |
124431 | EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1304) | Nessus | Huawei Local Security Checks | high |