CVE-2014-9644 - Improper Privilege Management

Severity

21%

Complexity

39%

Confidentiality

48%

The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.

The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.

CVSS 2.0 Base Score 2.1. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:P/A:N).

Demo Examples

Improper Privilege Management

CWE-269

This code temporarily raises the program's privileges to allow creation of a new user folder.


               
return True
return False#avoid CWE-22 and CWE-78
lowerPrivileges()
return False

While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur.

Improper Privilege Management

CWE-269

Evidence of privilege change:


               
seteuid(getuid());/* do some stuff */

               
}
// privileged code goes here, for example:// nothing to return

Improper Privilege Management

CWE-269

This code intends to allow only Administrators to print debug information about a system.


               
}
ADMIN,USER,GUEST
}
}
break;
break;
System.out.println("You must be logged in to perform this command");

While the intention was to only allow Administrators to print the debug information, the code as written only excludes those the with the role of "GUEST". Someone with the role of "ADMIN" or "USER" will be allowed access, which goes against the original intent. An attacker may be able to use this debug information to craft an attack on the system.

Improper Privilege Management

CWE-269

This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords.


               
}
ADMIN,OPERATOR,USER,GUEST
}
}
}
break;
break;
break;
System.out.println("You must be logged in to perform this command");

This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account.

Overview

Type

Linux

First reported 9 years ago

2015-03-02 11:59:00

Last updated 4 years ago

2020-05-21 13:11:00

Affected Software

Linux Kernel

Debian Linux 7.0

7.0

Debian Linux 8.0 (Jessie)

8.0

Canonical Ubuntu Linux 12.04 LTS

12.04

Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)

14.04

Canonical Ubuntu Linux 14.10

14.10

Oracle Linux 6

6

Oracle Linux 7

7

References

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4943ba16bbc2db05115707b3ff7b4874e9e3c560

RHSA-2016:0068

DSA-3170

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.5

MDVSA-2015:057

MDVSA-2015:058

[oss-security] 20150124 Re: CVE Request: Linux kernel crypto api unprivileged arbitrary module load

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

72320

USN-2513-1

USN-2514-1

USN-2543-1

USN-2544-1

USN-2545-1

USN-2546-1

https://bugzilla.redhat.com/show_bug.cgi?id=1190546

https://github.com/torvalds/linux/commit/4943ba16bbc2db05115707b3ff7b4874e9e3c560

https://plus.google.com/+MathiasKrause/posts/PqFCo4bfrWu

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4943ba16bbc2db05115707b3ff7b4874e9e3c560

Patch, Vendor Advisory

RHSA-2016:0068

Third Party Advisory

DSA-3170

Third Party Advisory

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.5

Release Notes, Vendor Advisory

MDVSA-2015:057

Third Party Advisory

MDVSA-2015:058

Third Party Advisory

[oss-security] 20150124 Re: CVE Request: Linux kernel crypto api unprivileged arbitrary module load

Mailing List, Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

Third Party Advisory

72320

Third Party Advisory, VDB Entry

USN-2513-1

Third Party Advisory

USN-2514-1

Third Party Advisory

USN-2543-1

Third Party Advisory

USN-2544-1

Third Party Advisory

USN-2545-1

Third Party Advisory

USN-2546-1

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1190546

Issue Tracking, Third Party Advisory

https://github.com/torvalds/linux/commit/4943ba16bbc2db05115707b3ff7b4874e9e3c560

Patch, Third Party Advisory

https://plus.google.com/+MathiasKrause/posts/PqFCo4bfrWu

Permissions Required

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.