Linux suffers from an arbitrary kernel read into dmesg via a missing address check in the segfault handler.
06e9283f3dd8c10929847de0f7b403d2There is a variety of RPC communication channels between the Chrome OS host system and the crosvm guest. This bug report focuses on communication on TCP port 8889, which is used by the "garcon" service. garcon uses gRPC, which is an RPC protocol that sends protobufs over plaintext HTTP/2. (Other system components communicate with the VM over gRPC-over-vsock, but garcon uses gRPC-over-TCP.) For some command types, the TCP connection is initiated by the host; for others, it is initiated by the guest. Both guest and host are listening on [::]:8889; however, the iptables rules of the host prevent an outside host from simply connecting to those sockets. However, apps running on the host are not affected by such restrictions.
aff1ab159e8069bed85cefa1dff66810Android suffers from a privilege escalation vulnerability in zygote that can be leveraged by CVE-2018-9445.
ab958bdb52ab9f8d11c64fe093731380Linux suffers from an insufficient shootdown for paging-structure caches.
8c0d36eab2a0b162e885643f73377706gVisor Sentry permits access to the renameat() syscall. As the sentry is not chrooted, it permits renaming files in the host system.
82846292495d155d34683eb88e13fadeLinux suffers from a reiserfs listxattr_filler() heap overflow vulnerability.
32f35281c7d063fa006860df2819530eWayland suffers from an out-of-bounds memory access vulnerability in wl_connection_demarshal() on 32-bit systems.
d6df3a560088b2c39f11b2f8dc3a2c2dRace conditions exist on percpu refcounts on struct mount.
2431157d4031096f9869974723e0f6f4Android suffers from a directory traversal vulnerability leveraged over USB via injection in blkid output.
54330565924c07e00a436420e71adec0cgit suffers from a directory traversal vulnerability in cgit_clone_objects().
f306e9c0fb056a4bc0fe47e73bb69b90It is possible to bypass fusermount's restrictions on the use of the "allow_other" mount option as follows if SELinux is active.
9e10d920caa48857046e580c577e1ff4Linux kernel versions prior to 4.14.8 utilize the Berkeley Packet Filter (BPF) which contains a vulnerability where it may improperly perform signing for an extension. This can be utilized to escalate privileges. The target system must be compiled with BPF support and must not have kernel.unprivileged_bpf_disabled set to 1. This Metasploit module has been tested successfully on many different kernels.
4596fc215a7899eb6de8fccca0e92708Linux/Ubuntu suffers from a vulnerability where other users' coredumps can be read via a setgid directory and killpriv bypass.
643a11ef1ca33c7ad1aef476e210c8b8Linux ext4 suffers from an out-of-bounds memcpy via a non-inline system.data xattr.
0cb247cca18add1aee1a164432f6a72cVariant 4 of the speculative execution vulnerability that focuses on a speculative store bypass.
0c2f7e12ec920a6130940707130bd9feLinux suffers from a 4-byte information leak via an uninitialized struct field in the compat adjtimex syscall.
3e22473d4edff1e68082884c6f7a235bFreeBSD Security Advisory - A number of issues relating to speculative execution were found last year and publicly announced January 3rd. Two of these, known as Meltdown and Spectre V2, are addressed here.
a26c0e3e31cfe9f94c14cc22c3de9089MacOS suffers from a sysctl_vfs_generic_conf stack leak through struct padding.
376a5cb1ecad7a5a4de3c6b7b7067429MacOS suffers from a sysctl_default_netsvctype_to_dscp_map and sysctl_dscp_to_wifi_ac_map stack leak through struct padding.
ae34699e2753df4dc0f4fbe8b25d4bd5eBPF had the verifier bug backported to version 4.9-stable.
8a1c22a5152b26d19ce1cffd65c19ab9macOS suffers from a process_policy stack leak through an uninitialized field.
087461a94f1e181ee115eef15d6fd864An information leak using speculative execution exists in CPUs by Intel, AMD, and to some extent, ARM.
b69690cdd34a7503e0457b6da3b6cd0eThis Metasploit module exploits a vulnerability in VMware Workstation Pro and Player on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card. This Metasploit module has been tested successfully on VMware Player version 12.5.0 on Debian Linux.
f3b6448b87cca47f57a97189ff144abbThis is the very thorough blog write-up discussing three variants of side-channel attacks that can be leveraged against CPU data cache timing.
2363cefeef0652a5bd4abcd5e6ee4559eBPF suffers from an arbitrary read and write vulnerability via incorrect range tracking.
ad6516e5054737ab0ef7abdefd3ba79b
© 2018 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed