Vulnerabilities > CVE-2015-0569 - Out-Of-Bounds Write vulnerability in Linux Kernel

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
linux
CWE-787
critical
nessus
exploit available

Summary

Heap-based buffer overflow in the private wireless extensions IOCTL implementation in wlan_hdd_wext.c in the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via a crafted application that establishes a packet filter.

Vulnerable Configurations

Part Description Count
OS
Linux
1866

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionLinux Kernel - prima WLAN Driver Heap Overflow. CVE-2015-0569. Dos exploit for linux platform
fileexploits/linux/dos/39308.c
idEDB-ID:39308
last seen2016-02-04
modified2016-01-25
platformlinux
port
published2016-01-25
reporterShawn the R0ck
sourcehttps://www.exploit-db.com/download/39308/
titleLinux Kernel - prima WLAN Driver Heap Overflow
typedos

Nessus

NASL familyHuawei Local Security Checks
NASL idEULEROS_SA-2019-1484.NASL
descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel, Hisilicon Network Subsystem (HNS) does not consider the ETH_SS_PRIV_FLAGS case when retrieving sset_count data. This allows local users to cause a denial of service (buffer overflow and memory corruption) or possibly have unspecified other impacts.(CVE-2017-18222i1/4%0 - A flaw was found in the way the Linux kernel
last seen2020-03-19
modified2019-05-13
plugin id124808
published2019-05-13
reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/124808
titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1484)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124808);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2013-7266",
    "CVE-2014-2672",
    "CVE-2014-2678",
    "CVE-2014-8086",
    "CVE-2015-0569",
    "CVE-2015-2150",
    "CVE-2015-3331",
    "CVE-2015-5307",
    "CVE-2015-5366",
    "CVE-2016-4440",
    "CVE-2016-7117",
    "CVE-2016-7914",
    "CVE-2017-1000410",
    "CVE-2017-17052",
    "CVE-2017-18222",
    "CVE-2017-6214",
    "CVE-2018-10087",
    "CVE-2018-10878",
    "CVE-2018-13100",
    "CVE-2018-18690"
  );
  script_bugtraq_id(
    64743,
    66492,
    66543,
    70376,
    73014,
    74235,
    75510
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1484)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - In the Linux kernel, Hisilicon Network Subsystem (HNS)
    does not consider the ETH_SS_PRIV_FLAGS case when
    retrieving sset_count data. This allows local users to
    cause a denial of service (buffer overflow and memory
    corruption) or possibly have unspecified other
    impacts.(CVE-2017-18222i1/4%0

  - A flaw was found in the way the Linux kernel's
    networking implementation handled UDP packets with
    incorrect checksum values. A remote attacker could
    potentially use this flaw to trigger an infinite loop
    in the kernel, resulting in a denial of service on the
    system, or cause a denial of service in applications
    using the edge triggered epoll
    functionality.(CVE-2015-5366i1/4%0

  - A use-after-free vulnerability was found in the
    kernel's socket recvmmsg subsystem. This may allow
    remote attackers to corrupt memory and may allow
    execution of arbitrary code. This corruption takes
    place during the error handling routines within
    __sys_recvmmsg() function.(CVE-2016-7117i1/4%0

  - arch/x86/kvm/vmx.c in the Linux kernel through 4.6.3
    mishandles the APICv on/off state, which allows guest
    OS users to obtain direct APIC MSR access on the host
    OS, and consequently cause a denial of service (host OS
    crash) or possibly execute arbitrary code on the host
    OS, via x2APIC mode.(CVE-2016-4440i1/4%0

  - In the Linux kernel before 4.17, a local attacker able
    to set attributes on an xfs filesystem could make this
    filesystem non-operational until the next mount by
    triggering an unchecked error condition during an xfs
    attribute change, because xfs_attr_shortform_addname in
    fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE
    operations with conversion of an attr from short to
    long form.(CVE-2018-18690i1/4%0

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bounds write and a
    denial of service or unspecified other impact is
    possible by mounting and operating a crafted ext4
    filesystem image.(CVE-2018-10878i1/4%0

  - Xen 3.3.x through 4.5.x and the Linux kernel through
    3.19.1 do not properly restrict access to PCI command
    registers, which might allow local guest OS users to
    cause a denial of service (non-maskable interrupt and
    host crash) by disabling the (1) memory or (2) I/O
    decoding for a PCI Express device and then accessing
    the device, which triggers an Unsupported Request (UR)
    response.(CVE-2015-2150i1/4%0

  - The assoc_array_insert_into_terminal_node() function in
    'lib/assoc_array.c' in the Linux kernel before 4.5.3
    does not check whether a slot is a leaf, which allows
    local users to obtain sensitive information from kernel
    memory or cause a denial of service (invalid pointer
    dereference and out-of-bounds read) via an application
    that uses associative-array data
    structures.(CVE-2016-7914i1/4%0

  - It was found that the x86 ISA (Instruction Set
    Architecture) is prone to a denial of service attack
    inside a virtualized environment in the form of an
    infinite loop in the microcode due to the way
    (sequential) delivering of benign exceptions such as
    #AC (alignment check exception) is handled. A
    privileged user inside a guest could use this flaw to
    create denial of service conditions on the host
    kernel.(CVE-2015-5307i1/4%0

  - An issue was discovered in fs/f2fs/super.c in the Linux
    kernel, which does not properly validate secs_per_zone
    in a corrupted f2fs image. This may lead to a
    divide-by-zero error and a system
    crash.(CVE-2018-13100i1/4%0

  - The mISDN_sock_recvmsg function in
    drivers/isdn/mISDN/socket.c in the Linux kernel before
    3.12.4 does not ensure that a certain length value is
    consistent with the size of an associated data
    structure, which allows local users to obtain sensitive
    information from kernel memory via a (1) recvfrom, (2)
    recvmmsg, or (3) recvmsg system call.(CVE-2013-7266i1/4%0

  - A NULL pointer dereference flaw was found in the
    rds_iw_laddr_check() function in the Linux kernel's
    implementation of Reliable Datagram Sockets (RDS). A
    local, unprivileged user could use this flaw to crash
    the system.(CVE-2014-2678i1/4%0

  - A flaw was found in the Linux kernel's handling of
    packets with the URG flag. Applications using the
    splice() and tcp_splice_read() functionality could
    allow a remote attacker to force the kernel to enter a
    condition in which it could loop
    indefinitely.(CVE-2017-6214i1/4%0

  - The kernel_wait4 function in kernel/exit.c in the Linux
    kernel before 4.13, when an unspecified architecture
    and compiler is used, might allow local users to cause
    a denial of service by triggering an attempted use of
    the -INT_MIN value.(CVE-2018-10087i1/4%0

  - Heap-based buffer overflow in the private wireless
    extensions IOCTL implementation in wlan_hdd_wext.c in
    the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x
    and 4.x, as used in Qualcomm Innovation Center (QuIC)
    Android contributions for MSM devices and other
    products, allows attackers to gain privileges via a
    crafted application that establishes a packet
    filter.(CVE-2015-0569i1/4%0

  - A race condition flaw was found in the Linux kernel's
    ext4 file system implementation that allowed a local,
    unprivileged user to crash the system by simultaneously
    writing to a file and toggling the O_DIRECT flag using
    fcntl(F_SETFL) on that file.(CVE-2014-8086i1/4%0

  - The mm_init function in kernel/fork.c in the Linux
    kernel before 4.12.10 does not clear the -i1/4zexe_file
    member of a new process's mm_struct, allowing a local
    attacker to achieve a use-after-free condition and to
    induce a kernel memory corruption on the system,
    leading to a crash or possibly have unspecified other
    impact by running a specially crafted program. Due to
    the nature of the flaw, privilege escalation cannot be
    fully ruled out, although we feel it is
    unlikely.(CVE-2017-17052i1/4%0

  - A buffer overflow flaw was found in the way the Linux
    kernel's Intel AES-NI instructions optimized version of
    the RFC4106 GCM mode decryption functionality handled
    fragmented packets. A remote attacker could use this
    flaw to crash, or potentially escalate their privileges
    on, a system over a connection with an active AES-GCM
    mode IPSec security association.(CVE-2015-3331i1/4%0

  - A flaw was found in the processing of incoming L2CAP
    bluetooth commands. Uninitialized stack variables can
    be sent to an attacker leaking data in kernel address
    space.(CVE-2017-1000410i1/4%0

  - It was found that a remote attacker could use a race
    condition flaw in the ath_tx_aggr_sleep() function to
    crash the system by creating large network traffic on
    the system's Atheros 9k wireless network
    adapter.(CVE-2014-2672i1/4%0

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1484
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?afeb6657");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.28-1.2.117",
        "kernel-devel-4.19.28-1.2.117",
        "kernel-headers-4.19.28-1.2.117",
        "kernel-tools-4.19.28-1.2.117",
        "kernel-tools-libs-4.19.28-1.2.117",
        "kernel-tools-libs-devel-4.19.28-1.2.117",
        "perf-4.19.28-1.2.117",
        "python-perf-4.19.28-1.2.117"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/135372/linuxprimawlan-overflow.txt
idPACKETSTORM:135372
last seen2016-12-05
published2016-01-25
reporterShawn the R0ck
sourcehttps://packetstormsecurity.com/files/135372/Linux-Kernel-prima-WLAN-Driver-Heap-Overflow.html
titleLinux Kernel prima WLAN Driver Heap Overflow