CVE-2018-18397

Current Description

The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c.

Basic Data

PublishedDecember 12, 2018
Last ModifiedOctober 03, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-noinfo
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:L/AC:L/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorLOCAL
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score2.1
SeverityLOW
Exploitability Score3.9
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS 3 - Attack VectorLOCAL
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredLOW
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactNONE
CVSS 3 - Integrity ImpactHIGH
CVSS 3 - Availability ImpactNONE
CVSS 3 - Base Score5.5
CVSS 3 - Base SeverityMEDIUM
Exploitability Score1.8
Base SeverityMEDIUM

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSLinuxLinux Kernel********4.19.7
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatOpenshift Container Platform3.11*******
    2.3ApplicationRedhatVirtualization Host4.0*******
    2.3OSRedhatEnterprise Linux Desktop7.0*******
    2.3OSRedhatEnterprise Linux Server7.0*******
    2.3OSRedhatEnterprise Linux Server Aus7.4*******
    2.3OSRedhatEnterprise Linux Server Aus7.6*******
    2.3OSRedhatEnterprise Linux Server Eus7.4*******
    2.3OSRedhatEnterprise Linux Server Eus7.5*******
    2.3OSRedhatEnterprise Linux Server Eus7.6*******
    2.3OSRedhatEnterprise Linux Server Tus7.4*******
    2.3OSRedhatEnterprise Linux Server Tus7.6*******
    2.3OSRedhatEnterprise Linux Workstation7.0*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSCanonicalUbuntu Linux14.04***lts***
    2.3OSCanonicalUbuntu Linux16.04***lts***
    2.3OSCanonicalUbuntu Linux18.04***lts***
    2.3OSCanonicalUbuntu Linux18.10*******

Vulnerable Software List

VendorProductVersions
Redhat Enterprise Linux Workstation 7.0
Redhat Virtualization Host 4.0
Redhat Enterprise Linux Desktop 7.0
Redhat Enterprise Linux Server Aus 7.4, 7.6
Redhat Enterprise Linux Server Tus 7.4, 7.6
Redhat Enterprise Linux Server Eus 7.4, 7.5, 7.6
Redhat Openshift Container Platform 3.11
Redhat Enterprise Linux Server 7.0
Canonical Ubuntu Linux 14.04, 16.04, 18.04, 18.10
Linux Linux Kernel *

References

NameSourceURLTags
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=29ec90660d68bbdd69507c1c8b4e33aa299278b1http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=29ec90660d68bbdd69507c1c8bMISCPatch Third Party Advisory
RHBA-2019:0327https://access.redhat.com/errata/RHBA-2019:0327REDHATThird Party Advisory
RHSA-2019:0163https://access.redhat.com/errata/RHSA-2019:0163REDHATThird Party Advisory
RHSA-2019:0202https://access.redhat.com/errata/RHSA-2019:0202REDHATThird Party Advisory
RHSA-2019:0324https://access.redhat.com/errata/RHSA-2019:0324REDHATThird Party Advisory
RHSA-2019:0831https://access.redhat.com/errata/RHSA-2019:0831REDHATThird Party Advisory
https://bugs.chromium.org/p/project-zero/issues/detail?id=1700https://bugs.chromium.org/p/project-zero/issues/detail?id=1700MISCExploit Issue Tracking Third Party Advisory
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.87https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.87MISCPatch Vendor Advisory
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.7https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.7MISCPatch Vendor Advisory
https://github.com/torvalds/linux/commit/29ec90660d68bbdd69507c1c8b4e33aa299278b1https://github.com/torvalds/linux/commit/29ec90660d68bbdd69507c1c8b4e33aa299278b1MISCPatch Third Party Advisory
USN-3901-1https://usn.ubuntu.com/3901-1/UBUNTUThird Party Advisory
USN-3901-2https://usn.ubuntu.com/3901-2/UBUNTUThird Party Advisory
USN-3903-1https://usn.ubuntu.com/3903-1/UBUNTUThird Party Advisory
USN-3903-2https://usn.ubuntu.com/3903-2/UBUNTUThird Party Advisory