CVE-2015-2925

Severity

69%

Complexity

34%

Confidentiality

165%

The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."

The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."

CVSS 2.0 Base Score 6.9. CVSS Attack Vector: local. CVSS Attack Complexity: medium. CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C).

Overview

First reported 9 years ago

2015-11-16 11:59:00

Last updated 7 years ago

2018-01-05 02:30:00

Affected Software

Linux Kernel

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=397d425dc26da728396e66d392d5dcb8dac30c37

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cde93be45a8a90d8c264c776fab63487b5038a65

Vendor Advisory

SUSE-SU-2015:2194

SUSE-SU-2015:2292

SUSE-SU-2016:0335

SUSE-SU-2016:0337

SUSE-SU-2016:0380

SUSE-SU-2016:0381

SUSE-SU-2016:0383

SUSE-SU-2016:0384

SUSE-SU-2016:0386

SUSE-SU-2016:0387

SUSE-SU-2016:0434

[containers] 20150403 [PATCH review 17/19] vfs: Test for and handle paths that are unreachable from their mnt_root

[containers] 20150403 [PATCH review 19/19] vfs: Do not allow escaping from bind mounts.

http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f22&id=520b64102de2f184036024b2a53de2b67463bd78

RHSA-2015:2636

RHSA-2016:0068

DSA-3364

DSA-3372

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.4

Vendor Advisory

[oss-security] 20150404 Re: Linux namespaces: It is possible to escape from bind mounts

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

73926

USN-2792-1

USN-2794-1

USN-2795-1

USN-2798-1

USN-2799-1

https://bugzilla.redhat.com/show_bug.cgi?id=1209367

https://bugzilla.redhat.com/show_bug.cgi?id=1209373

https://github.com/torvalds/linux/commit/397d425dc26da728396e66d392d5dcb8dac30c37

Vendor Advisory

https://github.com/torvalds/linux/commit/cde93be45a8a90d8c264c776fab63487b5038a65

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.