OSG-SEC-2018-10-02 Vulnerability in Linux kernel's create_elf_tables() function
Dear OSG Security Contacts,
A new integer overflow vulnerability described in CVE-2018-14634 [1] has been reported in the Linux kernel's create_elf_tables() function that could potentially allow an attacker to escalate privileges. This vulnerability only applies to systems with more than 32GB of memory and on which users can allocate 32GB. OSG security team considers patching this vulnerability to be IMPORTANT.
IMPACTED VERSIONS/ENVIRONMENTS:
Kernel versions 2.6.x, 3.10.x and 4.14.x. are affected. [1]
ACTION RECOMMENDATIONS:
Patches are available for the following operating systems and OSG Security team advises sites to apply the patch as soon as possible. Please note that patches are still not available for Red Hat Enterprise Linux 6 and Scientific Linux 6. Please pay attention to vendor advisories for patches to those systems.
RedHat Linux: - RHEL7 (kernel): https://access.redhat.com/errata/RHSA-2018:2748
Scientific Linux: - SL 7 (kernel): https://www.scientificlinux.org/category/sl-errata/slsa-20182748-1/
HOW IT WORKS:
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. This issue does not affect 32-bit systems as they do not have a large enough memory address space to exploit this flaw. [2]
MORE INFORMATION:
- [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14634
- [2] https://access.redhat.com/security/cve/cve-2018-14634
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team