Multiple vulnerabilities in procps

Published: 2018-05-22 | Updated: 2018-05-23

Risk	High
Patch available	YES
Number of vulnerabilities	7
CVE-ID	CVE-2018-1121 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1120 CVE-2018-1125 CVE-2018-1126
CWE-ID	CWE-362 CWE-264 CWE-120 CWE-190 CWE-20 CWE-121
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available.
Vulnerable software Subscribe	procps Client/Desktop applications / Software for system administration
Vendor	procps-ng

Security Bulletin

This security bulletin contains information about 7 vulnerabilities.

1) Race condition

EUVDB-ID: #VU12974

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-1121

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a race condition inherent in reading /proc/PID entries. A remote attacker can hide a process from procps-ng's utilities and cause the service to crash.

Mitigation

Update to version 3.3.15.

Vulnerable software versions

procps: All versions

CPE2.3

cpe:2.3:a:procps-ng:procps:*:*:*:*:*:*:*:*

External links

http://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Privilege escalation

EUVDB-ID: #VU12975

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-1122

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to top reads its configuration file from the current working directory, without any security check, if the HOME environment variable is unset or empty. A local attacker can exploit one of several vulnerabilities in top's config_file() function, execute top in /tmp (for example) and gain elevated privileges.

Mitigation

Update to version 3.3.15.

Vulnerable software versions

procps: All versions

CPE2.3

cpe:2.3:a:procps-ng:procps:*:*:*:*:*:*:*:*

External links

http://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Buffer overflow

EUVDB-ID: #VU12976

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-1123

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to ps mmap()s its output buffer and mprotect()s its last page with PROT_NONE (an effective guard page). A remote attacker can trick the victim into opening a specially crafted input, overflow the output buffer of ps and cause the service to crash.

Mitigation

Update to version 3.3.15.

Vulnerable software versions

procps: All versions

CPE2.3

cpe:2.3:a:procps-ng:procps:*:*:*:*:*:*:*:*

External links

http://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Integer overflow

EUVDB-ID: #VU12977

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-1124

CWE-ID: CWE-190 - Integer overflow

Exploit availability: Yes

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to integer overflow in libprocps's file2strvec() function. A local attacker can execute a vulnerable utility (pgrep, pidof, pkill, and w are vulnerable by default; other utilities are vulnerable if executed with non-default options) and gain elevated privileges.

Mitigation

Update to version 3.3.15.

Vulnerable software versions

procps: All versions

CPE2.3

cpe:2.3:a:procps-ng:procps:*:*:*:*:*:*:*:*

External links

http://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Improper input validation

EUVDB-ID: #VU12853

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-1120

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a local user to cause DoS condition on the target system.

The weakness exists due to insufficient validation of user-supplied input. A local user can block any read() access to /proc/PID/cmdline by mmap()ing a FUSE file (Filesystem in Userspace) onto this process's command-line arguments, block pgrep, pidof, pkill, ps, and w, either forever (a denial of service), or for some controlled time (a synchronization tool for exploiting other vulnerabilities).

Mitigation

Install update: https://www.qualys.com/2018/05/17/procps-ng-audit-report-patches.tar.gz

Vulnerable software versions

procps: All versions

CPE2.3

cpe:2.3:a:procps-ng:procps:*:*:*:*:*:*:*:

External links

http://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

6) Stack-based buffer overflow

EUVDB-ID: #VU12993

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-1125

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow. A remote attacker can send a specially crafted request, trigger memory corruption and execute arbitrary code with elevated privileges.

Mitigation

Update to version 3.3.15.

Vulnerable software versions

procps: All versions

CPE2.3

cpe:2.3:a:procps-ng:procps:*:*:*:*:*:*:*:*

External links

http://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

7) Buffer overflow

EUVDB-ID: #VU12992

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-1126

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper bounds checking. A remote attacker can send a specially crafted request, trigger memory corruption and execute arbitrary code with elevated privileges.

Mitigation

Update to version 3.3.15.

Vulnerable software versions

procps: All versions

CPE2.3

cpe:2.3:a:procps-ng:procps:*:*:*:*:*:*:*:*

External links

http://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.