CVE-2018-1124 - procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corrup

CVE-2018-1124

Summary

procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corruption in file2strvec function. This allows a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users.

References

Vulnerable Configurations

cpe:2.3:a:procps-ng_project:procps-ng:3.3.0:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.0:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.1:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.1:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.2:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.2:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.3:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.3:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.4:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.4:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.5:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.5:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.6:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.6:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.7:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.7:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.8:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.8:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.9:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.9:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.10:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.10:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.11:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.11:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.12:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.12:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.13:-:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.13:-:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.13:rc1:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.13:rc1:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.14:*:*:*:*:*:*:*
cpe:2.3:a:procps-ng_project:procps-ng:3.3.14:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:struxureware_data_center_expert:7.3.1:*:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:struxureware_data_center_expert:7.3.1:*:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:struxureware_data_center_expert:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:struxureware_data_center_expert:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:struxureware_data_center_expert:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:struxureware_data_center_expert:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:struxureware_data_center_expert:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:struxureware_data_center_expert:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:struxureware_data_center_expert:7.4.3:*:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:struxureware_data_center_expert:7.4.3:*:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:struxureware_data_center_expert:7.5.0:*:*:*:*:*:*:*
cpe:2.3:a:schneider-electric:struxureware_data_center_expert:7.5.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

CVSS

Base:	4.6 (as of 09-09-2020 - 14:58)
Impact:
Exploitability:

CWE

CWE-190

CAPEC

Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:L/AC:L/Au:N/C:P/I:P/A:P

redhat via4

advisories

rhsa
id RHSA-2018:1700
rhsa
id RHSA-2018:1777
rhsa
id RHSA-2018:1820
rhsa
id RHSA-2018:2267
rhsa
id RHSA-2018:2268
rhsa
id RHSA-2019:1944
rhsa
id RHSA-2019:2401

rpms

procps-ng-0:3.3.10-17.el7_5.2
procps-ng-debuginfo-0:3.3.10-17.el7_5.2
procps-ng-devel-0:3.3.10-17.el7_5.2
procps-ng-i18n-0:3.3.10-17.el7_5.2
procps-0:3.2.8-45.el6_9.3
procps-debuginfo-0:3.2.8-45.el6_9.3
procps-devel-0:3.2.8-45.el6_9.3
imgbased-0:1.0.17-0.1.el7ev
python-imgbased-0:1.0.17-0.1.el7ev
redhat-release-virtualization-host-0:4.2-3.1.el7
redhat-virtualization-host-image-update-0:4.2-20180531.0.el7_5
redhat-virtualization-host-image-update-placeholder-0:4.2-3.1.el7
procps-0:3.2.8-35.el6_7.1
procps-debuginfo-0:3.2.8-35.el6_7.1
procps-devel-0:3.2.8-35.el6_7.1
procps-0:3.2.8-30.el6_6.1
procps-debuginfo-0:3.2.8-30.el6_6.1
procps-devel-0:3.2.8-30.el6_6.1
procps-ng-0:3.3.10-16.el7_4.1
procps-ng-debuginfo-0:3.3.10-16.el7_4.1
procps-ng-devel-0:3.3.10-16.el7_4.1
procps-ng-i18n-0:3.3.10-16.el7_4.1
procps-ng-0:3.3.10-10.el7_3.1
procps-ng-debuginfo-0:3.3.10-10.el7_3.1
procps-ng-devel-0:3.3.10-10.el7_3.1
procps-ng-i18n-0:3.3.10-10.el7_3.1

refmap via4

bid	104214
confirm	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1124 https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 https://kc.mcafee.com/corporate/index?page=content&id=SB10241
debian	DSA-4208
exploit-db	44806
gentoo	GLSA-201805-14
misc	https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
mlist	[debian-lts-announce] 20180531 [SECURITY] [DLA 1390-1] procps security update [oss-security] 20180517 Qualys Security Advisory - Procps-ng Audit Report
sectrack	1041057
suse	openSUSE-SU-2019:2376 openSUSE-SU-2019:2379
ubuntu	USN-3658-1 USN-3658-2

Last major update

09-09-2020 - 14:58

Published

23-05-2018 - 13:29

Last modified

09-09-2020 - 14:58