Vulnerability ID 4503

Linux Kernel SG_IO SCSI IOCTL privilege escalation

Linux
CVSSv3 Temp ScoreCurrent Exploit Price (≈)
4.2$0-$1k

A vulnerability, which was classified as problematic, was found in Linux Kernel (the affected version is unknown). This affects an unknown function of the component SG_IO SCSI IOCTL. The manipulation with an unknown input leads to a privilege escalation vulnerability. This is going to have an impact on confidentiality, and integrity.

The weakness was presented 12/22/2011 by Paolo Bonzini (oss-sec). The advisory is shared for download at openwall.com. This vulnerability is uniquely identified as CVE-2011-4127 since 10/18/2011. Attacking locally is a requirement. A single authentication is necessary for exploitation. The technical details are unknown and an exploit is not publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 68677 (Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2022)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Oracle Linux Local Security Checks and relying on port 0. The commercial vulnerability scanner Qualys is able to test this issue with plugin 119933.

Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the databases at SecurityFocus (BID 51176), Secunia (SA47296) and Vulnerability Center (SBV-34110).

CVSSv3

Base Score: 4.4 [?]
Temp Score: 4.2 [?]
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:X/RL:O/RC:X [?]
Reliability: High

CVSSv2

Base Score: 3.0 (CVSS2#AV:L/AC:M/Au:S/C:P/I:P/A:N) [?]
Temp Score: 2.6 (CVSS2#E:ND/RL:OF/RC:ND) [?]
Reliability: High

AVACAuCIA
LHMNNN
AMSPPP
NLNCCC
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Privilege escalation (CWE-264)
Local: Yes
Remote: No

Availability: No

Current Price Estimation: $5k-$10k (0-day) / $0-$1k (Today)

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k


Nessus ID: 68677
Nessus Name: Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2022)
Nessus File: ala_ALAS-2012-34.nasl
Nessus Family: Oracle Linux Local Security Checks
Nessus Port: 0
OpenVAS ID: 892389
OpenVAS Name: Debian Security Advisory DSA 2389-1 (linux-2.6 - privilege escalation/denial of service/information leak
OpenVAS File: deb_2389_1.nasl
OpenVAS Family: Debian Local Security Checks
Qualys ID: 119933

Countermeasures

Recommended: Patch
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known

Patch: git.kernel.org

Timeline

10/18/2011 CVE assigned
12/22/2011 +65 days Advisory disclosed
12/22/2011 +0 days Countermeasure disclosed
12/22/2011 +0 days VulnerabilityCenter entry assigned
12/23/2011 +2 days OSVDB entry created
12/25/2011 +1 days VulnerabilityCenter entry created
01/21/2012 +27 days VulDB entry created
07/03/2012 +164 days NVD disclosed
07/12/2013 +374 days Nessus plugin released
06/22/2015 +710 days VulnerabilityCenter entry updated
07/08/2015 +17 days VulDB entry updated

Sources

Advisory: openwall.com
Researcher: Paolo Bonzini
Confirmation: git.kernel.org

CVE: CVE-2011-4127 (mitre.org) (nvd.nist.org) (cvedetails.com)

SecurityFocus: 51176 - Linux Kernel 'SG_IO IOCTL' SCSI Request Local Privilege Escalation Vulnerability
Secunia: 47296 - Linux Kernel "SG_IO" SCSI IOCTL Privilege Escalation Vulnerability, Less Critical
Vulnerability Center: 34110 - Linux Kernel 2.6.39-rc39 and Earlier SG_IO IOCTL Local Privilege Escalation Vulnerability, Medium
OSVDB: 78014 - Linux Kernel SG_IO SCSI IOCTL Command Parsing Local Privilege Escalation

Entry

Created: 01/21/2012
Updated: 07/08/2015
Entry: 88.9% complete