Linux kernel vulnerability in June: futex subsystem. Possibility of local privilege escalation. CVE-2014-3153

    Summer started hot. More recently, we fixed CVE-2014-0196, which allows you to get a local root, as another similar local vulnerability is approaching: CVE-2014-3153. And although there is no public exploit yet, all the current kernel versions are affected: from 2.6.32 to 3.14.5.
    Note for gentos: unlike CVE-2014-0196, hardened kernels are also affected.

    Here is a translation of the original newsletter from the mailing list:
    Pinkie Pie (as I understand it, some kind of strong security researcher is hiding under the nickname of the character from My Little Pony - translator's note ) discovered a problem in the futex subsystem, which allows the local user to gain control of ring 0 through the futex system call. An unprivileged user could use this vulnerability to crash the kernel (resulting in denial of service (DoS)) or privilege escalation.


    The initial patch fixing the vulnerability.

    Updates are available for all stable kernel branches.

    As they say, the vulnerability is especially “good” in that the futex subsystem is available in all sorts of “sandboxes” in linux, which use, for example, Chromium, Tor and OpenSSH.

    Refresh your colleagues, do not wait for the exploit to appear.

    Bug in gentoo . Corrected versions: sys-kernel / gentoo-sources- {3.10.41,3.12.21} -r1, hardened-sources-3.14.5-r2, hardened-sources-3.2.59-r5 Fixed

    in debian wheezy . Corrected version: 3.2.57-3 + deb7u2. A fix for other versions of debian will be available later.

    In ubuntu fixed . For trusty version 3.13.0-29.53.

    Arch Linux slows down.

    Also popular now: