CVE-2018-18559

22.10.2018, 16:29

In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Vendor	Product	Version
linux	linux_kernel	3.2.95 ≤ 𝑥 < 3.2.100
linux	linux_kernel	3.14.58 ≤ 𝑥 < 3.15
linux	linux_kernel	3.18.25 ≤ 𝑥 < 3.18.88
linux	linux_kernel	4.1.14 ≤ 𝑥 < 4.1.49
linux	linux_kernel	4.2.7 ≤ 𝑥 < 4.3
linux	linux_kernel	4.3.1 ≤ 𝑥 < 4.4.106
linux	linux_kernel	4.5 ≤ 𝑥 < 4.9.70
linux	linux_kernel	4.10 ≤ 𝑥 < 4.14.7
redhat	openshift_container_platform	3.11
redhat	virtualization_host	4.0
redhat	enterprise_linux_desktop	7.0
redhat	enterprise_linux_server	7.0
redhat	enterprise_linux_server_aus	7.6
redhat	enterprise_linux_server_eus	7.6
redhat	enterprise_linux_server_tus	7.6
redhat	enterprise_linux_workstation	7.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
sid	6.11.5-1 fixed
trixie	6.11.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

cosmic	not-affected
bionic	not-affected
artful	ignored
xenial	Fixed 4.4.0-119.143 released
trusty	not-affected

linux-aws

cosmic	not-affected
bionic	not-affected
artful	dne
xenial	Fixed 4.4.0-1054.63 released
trusty	Fixed 4.4.0-1016.16 released

linux-azure

cosmic	not-affected
bionic	not-affected
artful	dne
xenial	Fixed 4.15.0-1013.13~16.04.2 released
trusty	not-affected

linux-azure-edge

cosmic	dne
bionic	not-affected
artful	dne
xenial	not-affected
trusty	dne

linux-euclid

cosmic	dne
bionic	dne
artful	dne
xenial	ignored
trusty	dne

linux-flo

cosmic	dne
bionic	dne
artful	dne
xenial	ignored
trusty	dne

linux-gcp

cosmic	not-affected
bionic	not-affected
artful	dne
xenial	Fixed 4.15.0-1014.14~16.04.1 released
trusty	dne

linux-gke

cosmic	dne
bionic	dne
artful	dne
xenial	ignored
trusty	dne

linux-goldfish

cosmic	dne
bionic	dne
artful	dne
xenial	ignored
trusty	dne

linux-grouper

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-hwe

cosmic	dne
bionic	not-affected
artful	dne
xenial	Fixed 4.15.0-24.26~16.04.1 released
trusty	dne

linux-hwe-edge

cosmic	dne
bionic	not-affected
artful	dne
xenial	Fixed 4.15.0-24.26~16.04.1 released
trusty	dne

linux-kvm

cosmic	not-affected
bionic	not-affected
artful	dne
xenial	Fixed 4.4.0-1020.25 released
trusty	dne

linux-lts-trusty

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-lts-utopic

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-lts-vivid

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-lts-wily

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-lts-xenial

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	Fixed 4.4.0-119.143~14.04.1 released

linux-maguro

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-mako

cosmic	dne
bionic	dne
artful	dne
xenial	ignored
trusty	dne

linux-manta

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-oem

cosmic	not-affected
bionic	not-affected
artful	dne
xenial	ignored
trusty	dne

linux-raspi2

cosmic	not-affected
bionic	not-affected
artful	ignored
xenial	Fixed 4.4.0-1086.94 released
trusty	dne

linux-snapdragon

cosmic	dne
bionic	not-affected
artful	ignored
xenial	Fixed 4.4.0-1088.93 released
trusty	dne

Known Exploits!

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://access.redhat.com/errata/RHBA-2019:0327

https://access.redhat.com/errata/RHSA-2019:0163

https://access.redhat.com/errata/RHSA-2019:0188

https://access.redhat.com/errata/RHSA-2019:1170

https://access.redhat.com/errata/RHSA-2019:1190

https://access.redhat.com/errata/RHSA-2019:3967

https://access.redhat.com/errata/RHSA-2019:4159

https://access.redhat.com/errata/RHSA-2020:0174

https://blogs.securiteam.com/index.php/archives/3731