CVE-2018-18559

Current Description

In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.

Basic Data

PublishedOctober 22, 2018
Last ModifiedMay 14, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-416
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score6.8
SeverityMEDIUM
Exploitability Score8.6
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityHIGH
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactHIGH
CVSS 3 - Integrity ImpactHIGH
CVSS 3 - Availability ImpactHIGH
CVSS 3 - Base Score8.1
CVSS 3 - Base SeverityHIGH
Exploitability Score2.2
Base SeverityHIGH

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSLinuxLinux Kernel********4.19
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatOpenshift Container Platform3.11*******
    2.3ApplicationRedhatVirtualization Host4.0*******
    2.3OSRedhatEnterprise Linux Desktop7.0*******
    2.3OSRedhatEnterprise Linux Server7.0*******
    2.3OSRedhatEnterprise Linux Server Aus7.6*******
    2.3OSRedhatEnterprise Linux Server Eus7.6*******
    2.3OSRedhatEnterprise Linux Server Tus7.6*******
    2.3OSRedhatEnterprise Linux Workstation7.0*******

Vulnerable Software List

VendorProductVersions
Redhat Enterprise Linux Workstation 7.0
Redhat Virtualization Host 4.0
Redhat Enterprise Linux Desktop 7.0
Redhat Enterprise Linux Server Aus 7.6
Redhat Enterprise Linux Server Tus 7.6
Redhat Enterprise Linux Server Eus 7.6
Redhat Openshift Container Platform 3.11
Redhat Enterprise Linux Server 7.0
Linux Linux Kernel *

References

NameSourceURLTags
RHBA-2019:0327https://access.redhat.com/errata/RHBA-2019:0327REDHATThird Party Advisory
RHSA-2019:0163https://access.redhat.com/errata/RHSA-2019:0163REDHATThird Party Advisory
RHSA-2019:0188https://access.redhat.com/errata/RHSA-2019:0188REDHATThird Party Advisory
RHSA-2019:1170https://access.redhat.com/errata/RHSA-2019:1170REDHAT
RHSA-2019:1190https://access.redhat.com/errata/RHSA-2019:1190REDHAT
RHSA-2019:3967https://access.redhat.com/errata/RHSA-2019:3967REDHAT
RHSA-2019:4159https://access.redhat.com/errata/RHSA-2019:4159REDHAT
RHSA-2020:0174https://access.redhat.com/errata/RHSA-2020:0174REDHAT
https://blogs.securiteam.com/index.php/archives/3731https://blogs.securiteam.com/index.php/archives/3731MISCExploit Patch Third Party Advisory