Linux Kernel up to 3.15-rc3 media-device.c media_enum_entities information disclosure

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.4 | $0-$5k | 0.00 |
Summary
A vulnerability classified as problematic was found in Linux Kernel up to 3.15-rc3. Affected by this issue is the function media_enum_entities of the file /drivers/media/media-device.c. The manipulation results in information disclosure.
This vulnerability was named CVE-2014-1739. In addition, an exploit is available.
Applying a patch is advised to resolve this issue.
Details
A vulnerability classified as problematic has been found in Linux Kernel up to 3.15-rc3 (Operating System). Affected is the function media_enum_entities of the file /drivers/media/media-device.c. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality.
The issue has been introduced in 03/23/2011. The weakness was presented 04/28/2014 by Salva Peiró as CVE-2014-1739: Kernel Infoleak vulnerability in media_enum_entities() as confirmed blog post (Website). The advisory is shared for download at speirofr.appspot.com. The public release was coordinated in cooperation with the vendor. This vulnerability is traded as CVE-2014-1739 since 01/29/2014. The exploitability is told to be difficult. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details and a public exploit are known. The MITRE ATT&CK project declares the attack technique as T1592. The advisory points out:
During a code review of the kernel sources we found an infoleak vulnerability in the ioctl media_enum_entities() that allows to disclose 200 bytes the kernel process’ stack.
A public exploit has been developed by Salva Peiró in ANSI C and been published immediately after the advisory. The exploit is shared for download at speirofr.appspot.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 1132 days. During that time the estimated underground price was around $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 76298 (Ubuntu 13.10 : linux vulnerabilities (USN-2264-1)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Ubuntu Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 350337 (Amazon Linux Security Advisory for kernel: ALAS-2014-392). The advisory illustrates:
The vulnerability is exploitable on versions up to linux-3.15-rc3 by local users with read access to /dev/media0. (…) The PoC code media-enum-poc.c triggers the vulnerability by issuing the ioctl(fd, MEDIA_IOC_ENUM_ENTITIES) request and checking the data returned.
Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.linuxtv.org. It is possible to mitigate the problem by applying the configuration setting chmod 600 /dev/media0. The best possible mitigation is suggested to be patching the affected component. A possible mitigation has been published 1 days after the disclosure of the vulnerability. The vulnerability will be addressed with the following lines of code:
memset(&u_ent, 0, sizeof(u_ent));The blog post contains the following remark:
Linux distributions ship with chmod 600 /dev/media0 preventing unprivileged local users from exploiting the vulnerability. However, some Android devices are known to be shipped with both read and/or write permissions for all: chmod 666 /dev/media0.
The vulnerability is also documented in the databases at X-Force (94050), Exploit-DB (39214), Tenable (76298), SecurityFocus (BID 68048†) and Secunia (SA58990†). Further details are available at cxsecurity.com. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Affected
- Google Android
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 3.7VulDB Meta Temp Score: 3.4
VulDB Base Score: 3.7
VulDB Temp Score: 3.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Information disclosureCWE: CWE-200 / CWE-284 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: Salva Peiró
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 76298
Nessus Name: Ubuntu 13.10 : linux vulnerabilities (USN-2264-1)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 800345
OpenVAS Name: Oracle Linux Local Check: ELSA-2014-1971
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Patch: git.linuxtv.org
Config: chmod 600 /dev/media0
Timeline
03/23/2011 🔍01/29/2014 🔍
04/28/2014 🔍
04/28/2014 🔍
04/28/2014 🔍
04/28/2014 🔍
04/29/2014 🔍
05/28/2014 🔍
06/09/2014 🔍
06/15/2014 🔍
06/23/2014 🔍
06/28/2014 🔍
07/20/2014 🔍
11/25/2024 🔍
Sources
Vendor: kernel.orgAdvisory: CVE-2014-1739: Kernel Infoleak vulnerability in media_enum_entities()
Researcher: Salva Peiró
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2014-1739 (🔍)
GCVE (CVE): GCVE-0-2014-1739
GCVE (VulDB): GCVE-100-13608
OVAL: 🔍
X-Force: 94050 - Linux Kernel media_device_enum_entities() information disclosure, Medium Risk
SecurityFocus: 68048
Secunia: 58990 - Debian update for linux, Less Critical
SecurityTracker: 1038201
Vulnerability Center: 45514 - Linux Kernel <3.14.6 Local Memory Leakage in media_enum_entities(), Low
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
Entry
Created: 06/15/2014 16:03Updated: 11/25/2024 08:13
Changes: 06/15/2014 16:03 (94), 06/02/2017 07:59 (12), 06/22/2021 22:41 (4), 06/22/2021 22:53 (1), 11/25/2024 08:13 (14)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.