CVE-2014-4699
published 2014-07-09CVE-2014-4699: The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system…
PriorityP432medium6.9CVSS 2.0
AVLACMAuNCCICAC
EXPLOIT
EPSS
2.32%
81.3th percentile
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | linux | < linux 3.14.10-1 (bookworm) | linux 3.14.10-1 (bookworm) |
| linux | linux_kernel | >= 0 < 3.14.10-1 | 3.14.10-1 |
| linux | linux_kernel | >= 0 < 3.14.10-1 | 3.14.10-1 |
| linux | linux_kernel | >= 0 < 3.14.10-1 | 3.14.10-1 |
| linux | linux_kernel | >= 0 < 3.14.10-1 | 3.14.10-1 |
| linux | linux_kernel | >= 2.6.17 < 3.2.61 | 3.2.61 |
| linux | linux_kernel | >= 3.11 < 3.12.25 | 3.12.25 |
| linux | linux_kernel | >= 3.13 < 3.14.11 | 3.14.11 |
| linux | linux_kernel | >= 3.15 < 3.15.4 | 3.15.4 |
| linux | linux_kernel | >= 3.3 < 3.4.97 | 3.4.97 |
| linux | linux_kernel | >= 3.5 < 3.10.47 | 3.10.47 |
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv6.9MEDIUM
vendor_debian6.9MEDIUM
vendor_redhat6.9MEDIUM
vendor_ubuntu2.9LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (OMAP4) vulnerabilities
vendor_ubuntu·2014-07-16·CVSS 2.9
CVE-2014-0131 [LOW] Linux kernel (OMAP4) vulnerabilities
Title: Linux kernel (OMAP4) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Sasha Levin reported a flaw in the Linux kernel's point-to-point protocol
(PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user
could exploit this flaw to gain administrative privileges. (CVE-2014-4943)
Andy Lutomirski discovered a flaw with the Linux kernel's ptrace syscall on
x86_64 processors. An attacker could exploit this flaw to cause a denial of
service (System Crash) or potential gain administrative privileges.
(CVE-2014-4699)
Michael S. Tsirkin discovered an information leak in the Linux kernel's
segmentation of skbs when using the zerocopy feature of vhost-net. A local
attacker could exploit this flaw to gain potentially sensitive information
from kernel
Ubuntu
Linux kernel (Trusty HWE) vulnerability
vendor_ubuntu·2014-07-05
CVE-2014-4699 Linux kernel (Trusty HWE) vulnerability
Title: Linux kernel (Trusty HWE) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Andy Lutomirski discovered a flaw with the Linux kernel's ptrace syscall on
x86_64 processors. An attacker could exploit this flaw to cause a denial of
service (System Crash) or potential gain administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
Linux kernel (Saucy HWE) vulnerability
vendor_ubuntu·2014-07-05
CVE-2014-4699 Linux kernel (Saucy HWE) vulnerability
Title: Linux kernel (Saucy HWE) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Andy Lutomirski discovered a flaw with the Linux kernel's ptrace syscall on
x86_64 processors. An attacker could exploit this flaw to cause a denial of
service (System Crash) or potential gain administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2014-07-05
CVE-2014-4699 Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Andy Lutomirski discovered a flaw with the Linux kernel's ptrace syscall on
x86_64 processors. An attacker could exploit this flaw to cause a denial of
service (System Crash) or potential gain administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
Linux kernel (Quantal HWE) vulnerability
vendor_ubuntu·2014-07-05
CVE-2014-4699 Linux kernel (Quantal HWE) vulnerability
Title: Linux kernel (Quantal HWE) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Andy Lutomirski discovered a flaw with the Linux kernel's ptrace syscall on
x86_64 processors. An attacker could exploit this flaw to cause a denial of
service (System Crash) or potential gain administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
Linux kernel (Raring HWE) vulnerability
vendor_ubuntu·2014-07-05
CVE-2014-4699 Linux kernel (Raring HWE) vulnerability
Title: Linux kernel (Raring HWE) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Andy Lutomirski discovered a flaw with the Linux kernel's ptrace syscall on
x86_64 processors. An attacker could exploit this flaw to cause a denial of
service (System Crash) or potential gain administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2014-07-05
CVE-2014-4699 Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Andy Lutomirski discovered a flaw with the Linux kernel's ptrace syscall on
x86_64 processors. An attacker could exploit this flaw to cause a denial of
service (System Crash) or potential gain administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
ma
Ubuntu
Linux kernel (EC2) vulnerability
vendor_ubuntu·2014-07-05
CVE-2014-4699 Linux kernel (EC2) vulnerability
Title: Linux kernel (EC2) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Andy Lutomirski discovered a flaw with the Linux kernel's ptrace syscall on
x86_64 processors. An attacker could exploit this flaw to cause a denial of
service (System Crash) or potential gain administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
kernel: x86_64: ptrace: sysret to non-canonical address
vendor_redhat·2014-07-04·CVSS 6.9
CVE-2014-4699 [MEDIUM] CWE-642 kernel: x86_64: ptrace: sysret to non-canonical address
kernel: x86_64: ptrace: sysret to non-canonical address
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
It was found that the Linux kernel's ptrace subsystem allowed a traced process' instruction pointer to be set to a non-canonical memory address without forcing the non-sysret code path when returning to user space. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
Note: The CVE-2014-4699 issue
Debian
CVE-2014-4699: linux - The Linux kernel before 3.15.4 on Intel processors does not properly restrict us...
vendor_debian·2014·CVSS 6.9
CVE-2014-4699 [MEDIUM] CVE-2014-4699: linux - The Linux kernel before 3.15.4 on Intel processors does not properly restrict us...
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
Scope: local
bookworm: resolved (fixed in 3.14.10-1)
bullseye: resolved (fixed in 3.14.10-1)
forky: resolved (fixed in 3.14.10-1)
sid: resolved (fixed in 3.14.10-1)
trixie: resolved (fixed in 3.14.10-1)
GHSA
GHSA-j6mr-2j2f-gxh9: The Linux kernel before 3
ghsa_unreviewed·2022-05-13
CVE-2014-4699 [MEDIUM] CWE-362 GHSA-j6mr-2j2f-gxh9: The Linux kernel before 3
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
OSV
CVE-2014-4699: The Linux kernel before 3
osv·2014-07-09·CVSS 6.9
CVE-2014-4699 [MEDIUM] CVE-2014-4699: The Linux kernel before 3
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
No detection rules found.
Bugzilla
CVE-2014-4699 kernel: x86_64: ptrace: sysret to non-canonical address [fedora-all]
bugzilla·2014-07-04·CVSS 6.9
CVE-2014-4699 [MEDIUM] CVE-2014-4699 kernel: x86_64: ptrace: sysret to non-canonical address [fedora-all]
CVE-2014-4699 kernel: x86_64: ptrace: sysret to non-canonical address [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE: this issue affects mult
Bugzilla
CVE-2014-4699 kernel: x86_64: ptrace: sysret to non-canonical address
bugzilla·2014-07-03·CVSS 2.1
CVE-2014-4699 [LOW] CVE-2014-4699 kernel: x86_64: ptrace: sysret to non-canonical address
CVE-2014-4699 kernel: x86_64: ptrace: sysret to non-canonical address
On Intel CPUs sysret to non-canonical address causes a fault on the sysret
instruction itself after the stack pointer is set to user mode provided value
but before the CPL is changed. Systems running on AMD CPUs are not vulnerable to
this issue as sysret on AMD CPUs does not generate a fault before the CPL change.
It was found that certain Linux kernel's ptrace subsystem code paths allow the
tracer to set tracee's instruction pointer to non-canonical address which is
later used on tracee's return to user mode via the sysret instruction,
effectively bypassing the hardening introduced via the fixes for CVE-2005-1764
(introduced guard page between the end of the user-mode accessible virtual
address space and the beginning
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43ahttp://linux.oracle.com/errata/ELSA-2014-0924.htmlhttp://linux.oracle.com/errata/ELSA-2014-3047.htmlhttp://linux.oracle.com/errata/ELSA-2014-3048.htmlhttp://openwall.com/lists/oss-security/2014/07/05/4http://openwall.com/lists/oss-security/2014/07/08/16http://openwall.com/lists/oss-security/2014/07/08/5http://packetstormsecurity.com/files/127573/Linux-Kernel-ptrace-sysret-Local-Privilege-Escalation.htmlhttp://secunia.com/advisories/59633http://secunia.com/advisories/59639http://secunia.com/advisories/59654http://secunia.com/advisories/60220http://secunia.com/advisories/60380http://secunia.com/advisories/60393http://www.debian.org/security/2014/dsa-2972http://www.exploit-db.com/exploits/34134http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.4http://www.openwall.com/lists/oss-security/2014/07/04/4http://www.osvdb.org/108754http://www.ubuntu.com/usn/USN-2266-1http://www.ubuntu.com/usn/USN-2267-1http://www.ubuntu.com/usn/USN-2268-1http://www.ubuntu.com/usn/USN-2269-1http://www.ubuntu.com/usn/USN-2270-1http://www.ubuntu.com/usn/USN-2271-1http://www.ubuntu.com/usn/USN-2272-1http://www.ubuntu.com/usn/USN-2273-1http://www.ubuntu.com/usn/USN-2274-1https://bugzilla.redhat.com/show_bug.cgi?id=1115927https://github.com/torvalds/linux/commit/b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43ahttps://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.47https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.11https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.97http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43ahttp://linux.oracle.com/errata/ELSA-2014-0924.htmlhttp://linux.oracle.com/errata/ELSA-2014-3047.htmlhttp://linux.oracle.com/errata/ELSA-2014-3048.htmlhttp://openwall.com/lists/oss-security/2014/07/05/4http://openwall.com/lists/oss-security/2014/07/08/16http://openwall.com/lists/oss-security/2014/07/08/5http://packetstormsecurity.com/files/127573/Linux-Kernel-ptrace-sysret-Local-Privilege-Escalation.htmlhttp://secunia.com/advisories/59633http://secunia.com/advisories/59639http://secunia.com/advisories/59654http://secunia.com/advisories/60220http://secunia.com/advisories/60380http://secunia.com/advisories/60393http://www.debian.org/security/2014/dsa-2972http://www.exploit-db.com/exploits/34134http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.4http://www.openwall.com/lists/oss-security/2014/07/04/4http://www.osvdb.org/108754http://www.ubuntu.com/usn/USN-2266-1http://www.ubuntu.com/usn/USN-2267-1http://www.ubuntu.com/usn/USN-2268-1http://www.ubuntu.com/usn/USN-2269-1http://www.ubuntu.com/usn/USN-2270-1http://www.ubuntu.com/usn/USN-2271-1http://www.ubuntu.com/usn/USN-2272-1http://www.ubuntu.com/usn/USN-2273-1http://www.ubuntu.com/usn/USN-2274-1https://bugzilla.redhat.com/show_bug.cgi?id=1115927https://github.com/torvalds/linux/commit/b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43ahttps://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.47https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.11https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.97
2014-07-09
Published