CVE-2015-1350

MEDIUM5.5

The VFS subsystem in the Linux kernel 3

Published May 2, 2016

Modified 1 years ago

Details

The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.

References

WEBhttp://marc.info/?l=linux-kernel&m=142153722930533&w=2 WEBhttp://www.openwall.com/lists/oss-security/2015/01/24/5 WEBhttp://www.securityfocus.com/bid/76075 WEBhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770492 WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1185139 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2015-1350

CVSS Analysis

CVSS v3.1

5.5

Exploitability

Attack Vector

LocalAV:L

Attack Complexity

LowAC:L

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

5.5/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Ecosystems

Timeline

PublishedMay 2, 2016

ModifiedAug 6, 2024