Linux Kernel 3.8 Session Keyring Reference Count process_keys.c join_session_keyring integer overflow
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.1 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Linux Kernel 3.8. It has been rated as problematic. This impacts the function join_session_keyring of the file security/keys/process_keys.c of the component Session Keyring Reference Count Handler. This manipulation causes integer overflow.
This vulnerability appears as CVE-2016-0728. The attack requires local access. In addition, an exploit is available.
Upgrading the affected component is advised.
Details
A vulnerability classified as critical was found in Linux Kernel 3.8 (Operating System). Affected by this vulnerability is the function join_session_keyring of the file security/keys/process_keys.c of the component Session Keyring Reference Count Handler. The manipulation with an unknown input leads to a integer overflow vulnerability. The CWE definition for the vulnerability is CWE-190. The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. As an impact it is known to affect confidentiality, integrity, and availability.
The bug was discovered 01/19/2016. The weakness was presented 01/19/2016 with Perception Point Research Team as confirmed advisory (Website). The advisory is shared at perception-point.io. This vulnerability is known as CVE-2016-0728 since 12/16/2015. An attack has to be approached locally. The successful exploitation requires a single authentication. Technical details and also a public exploit are known.
A public exploit has been developed in ANSI C and been published immediately after the advisory. It is possible to download the exploit at gist.github.com. It is declared as attacked. We expect the 0-day to have been worth approximately $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 87991 (Amazon Linux AMI : kernel (ALAS-2016-642)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Amazon Linux Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 157108 (Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel (ELSA-2016-3510)). The code used by the exploit is:
for (i=0; i<5; ++i) {
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("keyctl");
return -1;
}
}Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (109695), Exploit-DB (39277), Zero-Day.cz (304), Tenable (87991) and SecurityFocus (BID 81054†). Additional details are provided at blogs.cisco.com. See VDB-81294 for similar entry. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
Video
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.3VulDB Meta Temp Score: 8.3
VulDB Base Score: 8.8
VulDB Temp Score: 8.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Integer overflowCWE: CWE-190 / CWE-189
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Access: Public
Status: Attacked
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 87991
Nessus Name: Amazon Linux AMI : kernel (ALAS-2016-642)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 100313
OpenVAS Name: Amazon Linux Local Check: alas-2016-642
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Exploit-DB: 🔍
Zero-Day.cz: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Patch: git.kernel.org
Fortigate IPS: 🔍
Timeline
12/16/2015 🔍01/11/2016 🔍
01/19/2016 🔍
01/19/2016 🔍
01/19/2016 🔍
01/19/2016 🔍
01/19/2016 🔍
01/20/2016 🔍
01/21/2016 🔍
01/26/2016 🔍
01/27/2016 🔍
02/07/2016 🔍
07/08/2024 🔍
Sources
Vendor: kernel.orgAdvisory: USN-2870-1
Organization: Perception Point Research Team
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2016-0728 (🔍)
GCVE (CVE): GCVE-0-2016-0728
GCVE (VulDB): GCVE-100-80353
X-Force: 109695 - Linux Kernel keyring privilege escalation
SecurityFocus: 81054 - Linux Kernel CVE-2016-0728 Local Privilege Escalation Vulnerability
SecurityTracker: 1034701
Vulnerability Center: 56182 - Linux Kernel 3.8 - 4.4 Local Privilage Escalation Vulnerability due to Reference Leak in Keyrings Facility, Medium
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍
Entry
Created: 01/21/2016 11:19Updated: 07/08/2024 01:08
Changes: 01/21/2016 11:19 (99), 07/15/2019 16:33 (7), 07/03/2022 19:56 (5), 07/03/2022 20:04 (1), 07/08/2024 01:08 (21)
Complete: 🔍
Cache ID: 216:A8F:103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.