CVE-2018-18559

EUVD-2018-10279

22.10.2018, 16:29

In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	3.2.95 ≤ 𝑥 < 3.2.100
linux	linux_kernel	3.14.58 ≤ 𝑥 < 3.15
linux	linux_kernel	3.18.25 ≤ 𝑥 < 3.18.88
linux	linux_kernel	4.1.14 ≤ 𝑥 < 4.1.49
linux	linux_kernel	4.2.7 ≤ 𝑥 < 4.3
linux	linux_kernel	4.3.1 ≤ 𝑥 < 4.4.106
linux	linux_kernel	4.5 ≤ 𝑥 < 4.9.70
linux	linux_kernel	4.10 ≤ 𝑥 < 4.14.7
redhat	openshift_container_platform	3.11
redhat	virtualization_host	4.0
redhat	enterprise_linux_desktop	7.0
redhat	enterprise_linux_server	7.0
redhat	enterprise_linux_server_aus	7.6
redhat	enterprise_linux_server_eus	7.6
redhat	enterprise_linux_server_tus	7.6
redhat	enterprise_linux_workstation	7.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
sid	6.11.5-1 fixed
trixie	6.11.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

artful	ignored
bionic	not-affected
cosmic	not-affected
trusty	not-affected
xenial	Fixed 4.4.0-119.143 released

linux-aws

artful	dne
bionic	not-affected
cosmic	not-affected
trusty	Fixed 4.4.0-1016.16 released
xenial	Fixed 4.4.0-1054.63 released

linux-azure

artful	dne
bionic	not-affected
cosmic	not-affected
trusty	not-affected
xenial	Fixed 4.15.0-1013.13~16.04.2 released

linux-azure-edge

artful	dne
bionic	not-affected
cosmic	dne
trusty	dne
xenial	not-affected

linux-euclid

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	ignored

linux-flo

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	ignored

linux-gcp

artful	dne
bionic	not-affected
cosmic	not-affected
trusty	dne
xenial	Fixed 4.15.0-1014.14~16.04.1 released

linux-gke

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	ignored

linux-goldfish

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	ignored

linux-grouper

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-hwe

artful	dne
bionic	not-affected
cosmic	dne
trusty	dne
xenial	Fixed 4.15.0-24.26~16.04.1 released

linux-hwe-edge

artful	dne
bionic	not-affected
cosmic	dne
trusty	dne
xenial	Fixed 4.15.0-24.26~16.04.1 released

linux-kvm

artful	dne
bionic	not-affected
cosmic	not-affected
trusty	dne
xenial	Fixed 4.4.0-1020.25 released

linux-lts-trusty

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-lts-utopic

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-lts-vivid

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-lts-wily

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-lts-xenial

artful	dne
bionic	dne
cosmic	dne
trusty	Fixed 4.4.0-119.143~14.04.1 released
xenial	dne

linux-maguro

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-mako

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	ignored

linux-manta

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-oem

artful	dne
bionic	not-affected
cosmic	not-affected
trusty	dne
xenial	ignored

linux-raspi2

artful	ignored
bionic	not-affected
cosmic	not-affected
trusty	dne
xenial	Fixed 4.4.0-1086.94 released

linux-snapdragon

artful	ignored
bionic	not-affected
cosmic	dne
trusty	dne
xenial	Fixed 4.4.0-1088.93 released

Known Exploits!

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://access.redhat.com/errata/RHBA-2019:0327

https://access.redhat.com/errata/RHSA-2019:0163

https://access.redhat.com/errata/RHSA-2019:0188

https://access.redhat.com/errata/RHSA-2019:1170

https://access.redhat.com/errata/RHSA-2019:1190

https://access.redhat.com/errata/RHSA-2019:3967

https://access.redhat.com/errata/RHSA-2019:4159

https://access.redhat.com/errata/RHSA-2020:0174

https://blogs.securiteam.com/index.php/archives/3731