CVE-2014-9644Exposed Dangerous Method or Function in Kernel

CWE-749Exposed Dangerous Method or FunctionCWE-269Improper Privilege Management17 documents8 sources
Severity
2.1LOWNVD
EPSS
0.1%
top 83.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Linux KernelCanonical Ubuntu LinuxDebian Linux+1 more
Timeline
PublishedMar 2
Latest updateMay 13

Description

The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.

CVSS vector

AV:L/AC:L/C:N/I:P/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages3 packages

NVDlinux/linux_kernel< 3.18.5
Debianlinux/linux_kernel< 3.16.7-ckt4-2+3
NVDoracle/linux5, 6, 7+2

Also affects: Debian Linux 7.0, 8.0, Ubuntu Linux 12.04, 14.04, 14.10

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
GHSA-m5x6-353v-hmg2: The Crypto API in the Linux kernel before 32022-05-13
OSV
linux-lts-utopic vulnerabilities2015-03-24
OSV
CVE-2014-9644: The Crypto API in the Linux kernel before 32015-03-02
CVEList
CVE-2014-9644: The Crypto API in the Linux kernel before 32015-03-02

📋Vendor Advisories

9
Ubuntu
Linux kernel vulnerabilities2015-03-24
Ubuntu
Linux kernel vulnerabilities2015-03-24
Ubuntu
Linux kernel (Trusty HWE) vulnerabilities2015-03-24
Ubuntu
Linux kernel (Utopic HWE) vulnerabilities2015-03-24
Ubuntu
Linux kernel (OMAP4) vulnerabilities2015-02-26

💬Community

3
Bugzilla
CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 61252015-04-08
Bugzilla
CVE-2014-9644 Linux kernel: crypto api unprivileged arbitrary module load via request_module() [fedora-all]2015-02-10
Bugzilla
CVE-2014-9644 Linux kernel: crypto api unprivileged arbitrary module load via request_module()2015-02-09
CVE-2014-9644 — Exposed Dangerous Method or Function | cvebase