Main Vulnerability Database SB2018120502

SB2018120502 - Multiple vulnerabilities in Linux Kernel

Published: December 5, 2018 Updated: December 17, 2018

Security Bulletin ID SB2018120502

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Use-after-free error (CVE-ID: CVE-2018-19824)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists in the Advanced Linux Sound Architecture (ALSA) driver due to use-after-free error in the usb_audio_probefunction, as defined in the sound/usb/card.c source code file. A local attacker can supply a malicious USB sound device with no interfaces, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Security restrictions bypass (CVE-ID: CVE-2018-18397)

The vulnerability allows a local attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper access control in the userfaultfd implementation. A local attacker can access a system that is mounted with shmem or hugetlbs virtual memory areas, maliciously modify mapping to targeted files and write arbitrary memory on the system, which could be used to conduct additional attacks.

Remediation

Install update from vendor's website.

SB2018120502 - Multiple vulnerabilities in Linux Kernel

Breakdown by Severity

Description

Remediation

References