ID CVE-2018-18559
Summary In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.
References
Vulnerable Configurations
  • Linux Kernel 4.19
    cpe:2.3:o:linux:linux_kernel:4.19
  • Red Hat OpenShift Container Platform 3.11
    cpe:2.3:a:redhat:openshift_container_platform:3.11
  • Red Hat Virtualization Host 4.0
    cpe:2.3:a:redhat:virtualization_host:4.0
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • Red Hat Enterprise Linux Server Advanced mission critical Update Support (AUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6
  • Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6
  • Red Hat Enterprise Linux Server Telecommunications Update Service (TUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
CVSS
Base: 6.8
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2019-0163.NASL
    description From Red Hat Security Advisory 2019:0163 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * kernel: Use-after-free due to race condition in AF_PACKET implementation (CVE-2018-18559) * kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : These updated kernel packages include also numerous bug fixes and enhancements. Space precludes documenting all of the bug fixes in this advisory. See the descriptions in the related Knowledge Article: https://access.redhat.com/ articles/3827321
    last seen 2019-02-21
    modified 2019-01-31
    plugin id 121496
    published 2019-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121496
    title Oracle Linux 7 : kernel (ELSA-2019-0163)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20190129_KERNEL_ON_SL7_X.NASL
    description Security Fix(es) : - kernel: Use-after-free due to race condition in AF_PACKET implementation (CVE-2018-18559) - kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397) Bug Fix(es) : See the descriptions in the related Knowledge Article :
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 121456
    published 2019-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121456
    title Scientific Linux Security Update : kernel on SL7.x x86_64
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2018-077.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerability : - It was discovered that a race condition between packet_do_bind() and packet_notifier() in the implementation of AF_PACKET could lead to use-after-free. An unprivileged user on the host or in a container could exploit this to crash the kernel or, potentially, to escalate their privileges in the system. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-11
    plugin id 121099
    published 2019-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121099
    title Virtuozzo 7 : readykernel-patch (VZA-2018-077)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2019-0163.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * kernel: Use-after-free due to race condition in AF_PACKET implementation (CVE-2018-18559) * kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : These updated kernel packages include also numerous bug fixes and enhancements. Space precludes documenting all of the bug fixes in this advisory. See the descriptions in the related Knowledge Article: https://access.redhat.com/ articles/3827321
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 121449
    published 2019-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121449
    title RHEL 7 : kernel (RHSA-2019:0163)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2019-0188.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * kernel: Use-after-free due to race condition in AF_PACKET implementation (CVE-2018-18559) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * The kernel-rt packages have been upgraded to the 3.10.0-957.5.1 source tree, which provides a number of bug fixes over the previous version. (BZ# 1653822) * Under certain circumstances, the following warning message, which indicated a SCHED_DEADLINE bandwidth tracking mechanism error, occurred : WARNING: CPU: 8 PID: 19536 at kernel/sched/deadline.c:64 dequeue_task_dl+0x121/ 0x140 This update fixes the sched_setscheduler() core kernel function, and backports multiple upstream patches to the SCHED_DEADLINE scheduler. As a result, the SCHED_DEADLINE bandwidth tracking mechanism is prevented from error conditions, and the warning message no longer occurs. (BZ#1655439)
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 121450
    published 2019-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121450
    title RHEL 7 : kernel-rt (RHSA-2019:0188)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2019-0163.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * kernel: Use-after-free due to race condition in AF_PACKET implementation (CVE-2018-18559) * kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : These updated kernel packages include also numerous bug fixes and enhancements. Space precludes documenting all of the bug fixes in this advisory. See the descriptions in the related Knowledge Article: https://access.redhat.com/ articles/3827321
    last seen 2019-02-21
    modified 2019-02-04
    plugin id 121547
    published 2019-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121547
    title CentOS 7 : kernel (CESA-2019:0163)
redhat via4
advisories
  • bugzilla
    id 1641878
    title CVE-2018-18559 kernel: Use-after-free due to race condition in AF_PACKET implementation
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment bpftool is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163035
        • comment bpftool is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20183083036
      • AND
        • comment kernel is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163019
        • comment kernel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842006
      • AND
        • comment kernel-abi-whitelists is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163007
        • comment kernel-abi-whitelists is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131645028
      • AND
        • comment kernel-bootwrapper is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163031
        • comment kernel-bootwrapper is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842010
      • AND
        • comment kernel-debug is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163015
        • comment kernel-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842012
      • AND
        • comment kernel-debug-devel is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163009
        • comment kernel-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842014
      • AND
        • comment kernel-devel is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163025
        • comment kernel-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842016
      • AND
        • comment kernel-doc is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163005
        • comment kernel-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842024
      • AND
        • comment kernel-headers is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163013
        • comment kernel-headers is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842008
      • AND
        • comment kernel-kdump is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163017
        • comment kernel-kdump is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842018
      • AND
        • comment kernel-kdump-devel is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163021
        • comment kernel-kdump-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842020
      • AND
        • comment kernel-tools is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163033
        • comment kernel-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678010
      • AND
        • comment kernel-tools-libs is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163029
        • comment kernel-tools-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678012
      • AND
        • comment kernel-tools-libs-devel is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163027
        • comment kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678020
      • AND
        • comment perf is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163023
        • comment perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842022
      • AND
        • comment python-perf is earlier than 0:3.10.0-957.5.1.el7
          oval oval:com.redhat.rhsa:tst:20190163011
        • comment python-perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111530020
    rhsa
    id RHSA-2019:0163
    released 2019-01-29
    severity Important
    title RHSA-2019:0163: kernel security, bug fix, and enhancement update (Important)
  • bugzilla
    id 1641878
    title CVE-2018-18559 kernel: Use-after-free due to race condition in AF_PACKET implementation
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment kernel-rt is earlier than 0:3.10.0-957.5.1.rt56.916.el7
          oval oval:com.redhat.rhsa:tst:20190188009
        • comment kernel-rt is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727006
      • AND
        • comment kernel-rt-debug is earlier than 0:3.10.0-957.5.1.rt56.916.el7
          oval oval:com.redhat.rhsa:tst:20190188019
        • comment kernel-rt-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727014
      • AND
        • comment kernel-rt-debug-devel is earlier than 0:3.10.0-957.5.1.rt56.916.el7
          oval oval:com.redhat.rhsa:tst:20190188013
        • comment kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727016
      • AND
        • comment kernel-rt-debug-kvm is earlier than 0:3.10.0-957.5.1.rt56.916.el7
          oval oval:com.redhat.rhsa:tst:20190188017
        • comment kernel-rt-debug-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161051024
      • AND
        • comment kernel-rt-devel is earlier than 0:3.10.0-957.5.1.rt56.916.el7
          oval oval:com.redhat.rhsa:tst:20190188015
        • comment kernel-rt-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727012
      • AND
        • comment kernel-rt-doc is earlier than 0:3.10.0-957.5.1.rt56.916.el7
          oval oval:com.redhat.rhsa:tst:20190188005
        • comment kernel-rt-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727018
      • AND
        • comment kernel-rt-kvm is earlier than 0:3.10.0-957.5.1.rt56.916.el7
          oval oval:com.redhat.rhsa:tst:20190188007
        • comment kernel-rt-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161051016
      • AND
        • comment kernel-rt-trace is earlier than 0:3.10.0-957.5.1.rt56.916.el7
          oval oval:com.redhat.rhsa:tst:20190188021
        • comment kernel-rt-trace is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727008
      • AND
        • comment kernel-rt-trace-devel is earlier than 0:3.10.0-957.5.1.rt56.916.el7
          oval oval:com.redhat.rhsa:tst:20190188023
        • comment kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727010
      • AND
        • comment kernel-rt-trace-kvm is earlier than 0:3.10.0-957.5.1.rt56.916.el7
          oval oval:com.redhat.rhsa:tst:20190188011
        • comment kernel-rt-trace-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161051018
    rhsa
    id RHSA-2019:0188
    released 2019-01-29
    severity Important
    title RHSA-2019:0188: kernel-rt security and bug fix update (Important)
  • rhsa
    id RHBA-2019:0327
  • rhsa
    id RHSA-2019:1170
  • rhsa
    id RHSA-2019:1190
rpms
  • bpftool-0:3.10.0-957.5.1.el7
  • kernel-0:3.10.0-957.5.1.el7
  • kernel-abi-whitelists-0:3.10.0-957.5.1.el7
  • kernel-bootwrapper-0:3.10.0-957.5.1.el7
  • kernel-debug-0:3.10.0-957.5.1.el7
  • kernel-debug-devel-0:3.10.0-957.5.1.el7
  • kernel-devel-0:3.10.0-957.5.1.el7
  • kernel-doc-0:3.10.0-957.5.1.el7
  • kernel-headers-0:3.10.0-957.5.1.el7
  • kernel-kdump-0:3.10.0-957.5.1.el7
  • kernel-kdump-devel-0:3.10.0-957.5.1.el7
  • kernel-tools-0:3.10.0-957.5.1.el7
  • kernel-tools-libs-0:3.10.0-957.5.1.el7
  • kernel-tools-libs-devel-0:3.10.0-957.5.1.el7
  • perf-0:3.10.0-957.5.1.el7
  • python-perf-0:3.10.0-957.5.1.el7
  • kernel-rt-0:3.10.0-957.5.1.rt56.916.el7
  • kernel-rt-debug-0:3.10.0-957.5.1.rt56.916.el7
  • kernel-rt-debug-devel-0:3.10.0-957.5.1.rt56.916.el7
  • kernel-rt-debug-kvm-0:3.10.0-957.5.1.rt56.916.el7
  • kernel-rt-devel-0:3.10.0-957.5.1.rt56.916.el7
  • kernel-rt-doc-0:3.10.0-957.5.1.rt56.916.el7
  • kernel-rt-kvm-0:3.10.0-957.5.1.rt56.916.el7
  • kernel-rt-trace-0:3.10.0-957.5.1.rt56.916.el7
  • kernel-rt-trace-devel-0:3.10.0-957.5.1.rt56.916.el7
  • kernel-rt-trace-kvm-0:3.10.0-957.5.1.rt56.916.el7
refmap via4
misc