U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Serious vulnerabilities in the Linux kernel, upgrade it now!

A new series of vulnerabilities in Linux Kernel allows an attacker to lead DoS and privilege escalation attack, Debian urges upgrades for Linux users. Numerous security flaws have been discovered and fixed in the Linux kernel, patch management for these vulnerabilities is critical to avoid that attackers could have led to a denial of service […]

Serious vulnerabilities in the Linux kernel, upgrade it now!

A new series of vulnerabilities in Linux Kernel allows an attacker to lead DoS and privilege escalation attack, Debian urges upgrades for Linux users.

Numerous security flaws have been discovered and fixed in the Linux kernel, patch management for these vulnerabilities is critical to avoid that attackers could have led to a denial of service or privilege escalation.

Debian yesterday issued a new security update to warn its Linux users about the presence of new vulnerabilities that could be exploited for the above reasons. The vulnerabilities are

CVE-2014-3144
CVE-2014-3145
CVE-2014-3153

The first two flaws could lead DoS via crafted BPF instructions while the third one could be exploited to crash the kernel or for privilege escalation.

CVE-2014-3144 / CVE-2014-3145

A local user can cause a denial of service (system crash) via crafted BPF instructions.

CVE-2014-3153

Pinkie Pie discovered an issue in the futex subsystem that allows a local user to gain ring 0 control via the futex syscall. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.

The above flaw was reported by Pinkie Pie, the anonymous hacker who discovered the sandbox escape against Chrome in 2012.

linux

The futux mechanism, available within most Linux sandboxes, is a “fast, lightweight kernel-assisted locking primitive for user-space applications.”, a local user through its system calls could gain ring 0 control.

Due to the large diffusion of futux mechanism, the fix for the vulnerability CVE-2014-3153 is considered critical.

“The futex syscall can leave a queued kernel waiter hanging on the stack. By manipulating the stack with further syscalls, the waiter structure can be altered. When later woken up, the altered waiter can result in arbitrary code execution in ring 0,” wrote Kees Cook, a ChromeOS security researcher and former Ubuntu Security Engineer.

Debian and all Linux users are invited to upgrade their packages, be aware that the patches for unstable version will be soon available, meantime version 3.2.57-3+deb7u2 have been already fixed.

Don’t waste time, upgrade your systems!

Pierluigi Paganini

(Security Affairs –  Linux Kernel, hacking)