[ASA-202107-50] linux-hardened: privilege escalation
Arch Linux Security Advisory ASA-202107-50 ========================================== Severity: High Date : 2021-07-21 CVE-ID : CVE-2021-3609 CVE-2021-3612 CVE-2021-33909 Package : linux-hardened Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-2183 Summary ======= The package linux-hardened before version 5.12.19.hardened1-1 is vulnerable to privilege escalation. Resolution ========== Upgrade to 5.12.19.hardened1-1. # pacman -Syu "linux-hardened>=5.12.19.hardened1-1" The problems have been fixed upstream in version 5.12.19.hardened1. Workaround ========== None. Description =========== - CVE-2021-3609 (privilege escalation) A race condition in net/can/bcm.c in the Linux kernel before version 5.13.2 allows for local privilege escalation to root. The CAN BCM networking protocol allows to register a CAN message receiver for a specified socket. The function bcm_rx_handler() is run for incoming CAN messages. Simultaneously to running this function, the socket can be closed and bcm_release() will be called. Inside bcm_release(), struct bcm_op and struct bcm_sock are freed while bcm_rx_handler() is still running, finally leading to multiple use-after-free's. - CVE-2021-3612 (privilege escalation) An out-of-bounds memory write security issue was found in the Linux kernel’s joystick devices subsystem before version 5.13.2, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. - CVE-2021-33909 (privilege escalation) An privilege escalation security issue has been found in the filesystem layer of the Linux kernel before version 5.13.4. An unprivileged local attacker can obtain full root privileges by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, which leads to an uncontrolled out-of-bounds write. Impact ====== An unprivileged local attacker could obtain full root privileges or crash the system. References ========== https://www.openwall.com/lists/oss-security/2021/06/19/1 https://www.openwall.com/lists/oss-security/2021/06/19/2 https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-20... https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.2&id=014f8baa9d240c4cf7180d37abd625fd4a4527c8 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.17&id=d8a5cf5cfc07a296c78bd515671e374b8d8db022 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.50&id=b52e0cf0bfc1ede495de36aec86f6013efa18f60 https://bugzilla.redhat.com/show_bug.cgi?id=1974079 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.2&id=81acf1015233b3ee1d9834ba4fcca087a75c0c1b https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.17&id=b88243d8f1c7eb2a834fd7cd1ea9691554240d3a https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.50&id=b4c35e9e8061b2386da1aa0d708e991204e76c45 https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-esc... https://www.qualys.com/2021/07/20/cve-2021-33909/cve-2021-33909-crasher.c https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.4&id=71de462034c69525a5049fbdf3903c5833cbce04 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.19&id=514b6531b1cbb64199db63bfdb80953d71998cca https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.52&id=174c34d9cda1b5818419b8f5a332ced10755e52f https://security.archlinux.org/CVE-2021-3609 https://security.archlinux.org/CVE-2021-3612 https://security.archlinux.org/CVE-2021-33909
participants (1)
-
Jonas Witschel