ID CVE-2018-10872
Summary A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, processor does not deliver interrupts and exceptions, they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in DoS. This CVE-2018-10872 was assigned due to regression of CVE-2018-8897 in Red Hat Enterprise Linux 6.10 GA kernel. No other versions are affected by this CVE.
References
Vulnerable Configurations
  • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
CVSS
Base: 4.9 (as of 12-02-2023 - 23:31)
Impact:
Exploitability:
CWE CWE-250
CAPEC
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
  • Expanding Control over the Operating System from the Database
    An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
cvss-vector via4 AV:L/AC:L/Au:N/C:N/I:N/A:C
redhat via4
advisories
rhsa
id RHSA-2018:2164
rpms
  • kernel-0:2.6.32-754.2.1.el6
  • kernel-abi-whitelists-0:2.6.32-754.2.1.el6
  • kernel-bootwrapper-0:2.6.32-754.2.1.el6
  • kernel-debug-0:2.6.32-754.2.1.el6
  • kernel-debug-debuginfo-0:2.6.32-754.2.1.el6
  • kernel-debug-devel-0:2.6.32-754.2.1.el6
  • kernel-debuginfo-0:2.6.32-754.2.1.el6
  • kernel-debuginfo-common-i686-0:2.6.32-754.2.1.el6
  • kernel-debuginfo-common-ppc64-0:2.6.32-754.2.1.el6
  • kernel-debuginfo-common-s390x-0:2.6.32-754.2.1.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-754.2.1.el6
  • kernel-devel-0:2.6.32-754.2.1.el6
  • kernel-doc-0:2.6.32-754.2.1.el6
  • kernel-firmware-0:2.6.32-754.2.1.el6
  • kernel-headers-0:2.6.32-754.2.1.el6
  • kernel-kdump-0:2.6.32-754.2.1.el6
  • kernel-kdump-debuginfo-0:2.6.32-754.2.1.el6
  • kernel-kdump-devel-0:2.6.32-754.2.1.el6
  • perf-0:2.6.32-754.2.1.el6
  • perf-debuginfo-0:2.6.32-754.2.1.el6
  • python-perf-0:2.6.32-754.2.1.el6
  • python-perf-debuginfo-0:2.6.32-754.2.1.el6
refmap via4
confirm
misc https://www.oracle.com/security-alerts/cpujul2020.html
Last major update 12-02-2023 - 23:31
Published 10-07-2018 - 19:29
Last modified 12-02-2023 - 23:31
Back to Top