CVE-2016-8655
published 2016-12-08CVE-2016-8655: Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free)…
PriorityP357high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.13%
95.4th percentile
Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.
Affected
49 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | linux | < linux 4.8.15-1 (bookworm) | linux 4.8.15-1 (bookworm) |
| debian | linux | < linux 4.12.6-1 (bookworm) | linux 4.12.6-1 (bookworm) |
| android | — | — | |
| linux | linux_kernel | >= 0 < 4.8.15-1 | 4.8.15-1 |
| linux | linux_kernel | >= 0 < 4.12.6-1 | 4.12.6-1 |
| linux | linux_kernel | >= 0 < 4.8.15-1 | 4.8.15-1 |
| linux | linux_kernel | >= 0 < 4.12.6-1 | 4.12.6-1 |
| linux | linux_kernel | >= 0 < 4.8.15-1 | 4.8.15-1 |
| linux | linux_kernel | >= 0 < 4.12.6-1 | 4.12.6-1 |
| linux | linux_kernel | >= 0 < 4.8.15-1 | 4.8.15-1 |
| linux | linux_kernel | >= 0 < 4.12.6-1 | 4.12.6-1 |
| linux | linux_kernel | >= 2.6.27 < 3.2.92 | 3.2.92 |
| linux | linux_kernel | >= 3.11 < 3.12.69 | 3.12.69 |
| linux | linux_kernel | >= 3.11 < 3.16.47 | 3.16.47 |
| linux | linux_kernel | >= 3.13 < 3.16.40 | 3.16.40 |
| linux | linux_kernel | >= 3.17 < 3.18.46 | 3.18.46 |
| linux | linux_kernel | >= 3.17 < 3.18.65 | 3.18.65 |
| linux | linux_kernel | >= 3.19 < 4.1.37 | 4.1.37 |
| linux | linux_kernel | >= 3.19 < 4.1.44 | 4.1.44 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for concurrent setsockopt calls on AF_PACKET sockets toggling TPACKET version (PACKET_RX_RING / packet_set_ring race) from the same process, especially from unprivileged user namespaces. ↗
- →Alert on processes spawning AF_PACKET SOCK_RAW sockets from unprivileged user namespaces (CONFIG_USER_NS enabled); this is a prerequisite for CVE-2016-8655 exploitation without CAP_NET_RAW. ↗
- →Flag kernel version strings matching 4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic on x86_64 as vulnerable targets for CVE-2016-8655. ↗
- →Detect the Outlaw dropper script pattern: creation of hidden directories /tmp/.X19-unix, /tmp/.X13-unix, /tmp/.X17-unix and extraction of dota3.tar.gz in /var/tmp or /tmp. ↗
- →Detect tsm binary executing with specific argument pattern (-t 150 -S 6 -s 6 -p 22) from hidden /tmp/.X19-unix/.rsync/c/ path, indicative of Outlaw SSH scanner post-exploitation. ↗
- →Monitor for the exploit writing to the vsyscall page (0xffffffffff600000) to make it writable as part of the chocobo_root privilege escalation chain. ↗
- →Detect the race-win indicator string in process output or logs: '*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*' which signals successful exploitation. ↗
- →Block or alert on syscalls socket(AF_PACKET, SOCK_RAW, ...) combined with setsockopt PACKET_RX_RING and PACKET_VERSION from containers or unprivileged namespaces using Seccomp policy. ↗
- ·Exploitation requires unprivileged user namespaces to be enabled (CONFIG_USER_NS=y) and accessible to unprivileged users; disabling this kernel feature prevents exploitation without CAP_NET_RAW. ↗
- ·The exploit requires at least 2 CPU cores to win the race condition; single-core systems are not exploitable via this technique. ↗
- ·SMAP must be disabled for the chocobo_root exploit to succeed; SMEP and KASLR bypasses are included but SMAP is a hard blocker. ↗
- ·The exploit specifically targets Ubuntu (Trusty/Xenial) kernels 4.4.0 < 4.4.0-53; the patch was applied in version 4.4.0-53.74. Other distributions may be affected but are untested. ↗
- ·Failed exploitation may crash the kernel; defenders should treat unexpected kernel panics on vulnerable kernel versions as a possible exploitation indicator. ↗
- ·The exploit drops files to a writable directory (default /tmp); restricting noexec on /tmp and /var/tmp can impede post-exploitation payload execution. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: Heap out-of-bounds read in AF_PACKET sockets
vendor_redhat·2017-08-10·CVSS 7.8
CVE-2017-1000111 [HIGH] CWE-362 kernel: Heap out-of-bounds read in AF_PACKET sockets
kernel: Heap out-of-bounds read in AF_PACKET sockets
Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.
A race condition issue was found in the way the raw packet socket implementation in the Linux kernel networking subsystem handled synchr
Android
CVE-2016-8655: Android Security Bulletin 2017-03-01
CVE: CVE-2016-8655
Severity: HIGH
References: A-33358926
Upstream kernel
vendor_android·2017-03-01·CVSS 7.8
CVE-2016-8655 [HIGH] CVE-2016-8655: Android Security Bulletin 2017-03-01
CVE: CVE-2016-8655
Severity: HIGH
References: A-33358926
Upstream kernel
Android Security Bulletin 2017-03-01
CVE: CVE-2016-8655
Severity: HIGH
References: A-33358926
Upstream kernel
Debian
CVE-2017-1000111: linux - Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogo...
vendor_debian·2017·CVSS 7.8
CVE-2017-1000111 [HIGH] CVE-2017-1000111: linux - Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogo...
Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.
Scope: local
bookworm: resolved (fixed in 4.12.6-1)
bullseye: resolved (fixed in 4.12.6-1)
forky: resolved (fixed in 4.12.6-1)
sid: resolved (fixed in 4.12.6-1)
trixie: resolved (fixed in 4.1
Ubuntu
Linux kernel (OMAP4) vulnerability
vendor_ubuntu·2016-12-06
CVE-2016-8655 Linux kernel (OMAP4) vulnerability
Title: Linux kernel (OMAP4) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Philip Pettersson discovered a race condition in the af_packet
implementation in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service (system crash) or run arbitrary code with
administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, li
Ubuntu
Linux kernel (Raspberry Pi 2) vulnerability
vendor_ubuntu·2016-12-06
CVE-2016-8655 Linux kernel (Raspberry Pi 2) vulnerability
Title: Linux kernel (Raspberry Pi 2) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Philip Pettersson discovered a race condition in the af_packet
implementation in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service (system crash) or run arbitrary code with
administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RE
Red Hat
kernel: Race condition in packet_set_ring leads to use after free
vendor_redhat·2016-12-06·CVSS 7.8
CVE-2016-8655 [HIGH] CWE-366 kernel: Race condition in packet_set_ring leads to use after free
kernel: Race condition in packet_set_ring leads to use after free
Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.
A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.
Statement: This issue does not affect Red Hat Enterprise Linux 5 and
Ubuntu
Linux kernel (Qualcomm Snapdragon) vulnerability
vendor_ubuntu·2016-12-05
CVE-2016-8655 Linux kernel (Qualcomm Snapdragon) vulnerability
Title: Linux kernel (Qualcomm Snapdragon) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Philip Pettersson discovered a race condition in the af_packet
implementation in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service (system crash) or run arbitrary code with
administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-l
Ubuntu
Linux kernel (Trusty HWE) vulnerability
vendor_ubuntu·2016-12-05
CVE-2016-8655 Linux kernel (Trusty HWE) vulnerability
Title: Linux kernel (Trusty HWE) vulnerability
Summary: The system could be made to run programs as an administrator.
USN-3149-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.
Philip Pettersson discovered a race condition in the af_packet
implementation in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service (system crash) or run arbitrary code with
administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which re
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2016-12-05
CVE-2016-8655 Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Philip Pettersson discovered a race condition in the af_packet
implementation in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service (system crash) or run arbitrary code with
administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virt
Ubuntu
Linux kernel (Xenial HWE) vulnerability
vendor_ubuntu·2016-12-05
CVE-2016-8655 Linux kernel (Xenial HWE) vulnerability
Title: Linux kernel (Xenial HWE) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
USN-3151-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Philip Pettersson discovered a race condition in the af_packet
implementation in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service (system crash) or run arbitrary code with
administrative privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number,
Debian
CVE-2016-8655: linux - Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allo...
vendor_debian·2016·CVSS 7.8
CVE-2016-8655 [HIGH] CVE-2016-8655: linux - Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allo...
Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.
Scope: local
bookworm: resolved (fixed in 4.8.15-1)
bullseye: resolved (fixed in 4.8.15-1)
forky: resolved (fixed in 4.8.15-1)
sid: resolved (fixed in 4.8.15-1)
trixie: resolved (fixed in 4.8.15-1)
GHSA
GHSA-3x7h-7xqw-rj45: Race condition in net/packet/af_packet
ghsa_unreviewed·2022-05-14
CVE-2016-8655 [HIGH] CWE-362 GHSA-3x7h-7xqw-rj45: Race condition in net/packet/af_packet
Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.
GHSA
GHSA-7m59-9m96-wch5: Linux kernel: heap out-of-bounds in AF_PACKET sockets
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-1000111 [HIGH] CWE-787 GHSA-7m59-9m96-wch5: Linux kernel: heap out-of-bounds in AF_PACKET sockets
Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.
OSV
CVE-2017-1000111: Linux kernel: heap out-of-bounds in AF_PACKET sockets
osv·2017-10-05·CVSS 7.8
CVE-2017-1000111 [HIGH] CVE-2017-1000111: Linux kernel: heap out-of-bounds in AF_PACKET sockets
Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.
Project0
Exploiting the Linux kernel via packet sockets - Project Zero
project_zero·2017-05-01·CVSS 7.8
CVE-2016-8655 [HIGH] Exploiting the Linux kernel via packet sockets - Project Zero
Guest blog post, posted by Andrey Konovalov
Introduction
Lately I’ve been spending some time fuzzing network-related Linux kernel interfaces with syzkaller. Besides the recently discovered vulnerability in DCCP sockets, I also found another one, this time in packet sockets. This post describes how the bug was discovered and how we can exploit it to escalate privileges.
The bug itself (CVE-2017-7308) is a signedness issue, which leads to an exploitable heap-out-of-bounds write. It can be triggered by providing specific parameters to the PACKET_RX_RING option on an AF_PACKET socket with a TPACKET_V3 ring buffer version enabled. As a result the following sanity check in the packet_set_ring() function in net/packet/af_packet.c can be bypassed, which later leads to an out-of-bounds access.
OSV
CVE-2016-8655: Race condition in net/packet/af_packet
osv·2016-12-08·CVSS 7.8
CVE-2016-8655 [HIGH] CVE-2016-8655: Race condition in net/packet/af_packet
Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.
No detection rules found.
Exploit-DB
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Escalation
exploitdb·2018-12-29·CVSS 7.8
CVE-2016-8655 [HIGH] Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Escalation
Linux Kernel 4.4.0-21 hdr.bh1.offset_to_first_pkt = 48
*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
closing socket and verifying.......
vsyscall page altered!
stage 1 completed
registering new sysctl..
new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 30773, last val = 0)
current packet version = 2
pbd->hdr.bh1.offset_to_first_pkt = 48
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (
Exploit-DB
Linux 4.4.0 < 4.4.0-53 - 'AF_PACKET chocobo_root' Local Privilege Escalation (Metasploit)
exploitdb·2018-05-22·CVSS 7.8
CVE-2016-8655 [HIGH] Linux 4.4.0 < 4.4.0-53 - 'AF_PACKET chocobo_root' Local Privilege Escalation (Metasploit)
Linux 4.4.0 'AF_PACKET chocobo_root Privilege Escalation',
'Description' => %q{
This module exploits a race condition and use-after-free in the
packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in
the Linux kernel to execute code as root (CVE-2016-8655).
The bug was initially introduced in 2011 and patched in 2016 in version
4.4.0-53.74, potentially affecting a large number of kernels; however
this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels
4.4.0 MSF_LICENSE,
'Author' =>
[
'rebel', # Discovery and chocobo_root.c exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Aug 12 2016',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'Referen
Exploit-DB
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation
exploitdb·2016-12-06
CVE-2016-8655 Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation
---
/*
chocobo_root.c
linux AF_PACKET race condition exploit
exploit for Ubuntu 16.04 x86_64
vroom vroom
user@ubuntu:~$ uname -a
Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu:~$ id
uid=1000(user) gid=1000(user) groups=1000(user)
user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread
user@ubuntu:~$ ./chocobo_root
linux AF_PACKET race condition exploit by rebel
kernel version: 4.4.0-51-generic #72
proc_dostring = 0xffffffff81088090
modprobe_path = 0xffffffff81e48f80
register_sysctl_table = 0xffffffff812879a0
set_memory_rw = 0xffffffff8106f320
exploit starting
making vsyscall page writable..
new exploit attempt startin
Metasploit
AF_PACKET chocobo_root Privilege Escalation
metasploit·CVSS 7.8
CVE-2016-8655 [HIGH] AF_PACKET chocobo_root Privilege Escalation
AF_PACKET chocobo_root Privilege Escalation
This module exploits a race condition and use-after-free in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2016-8655). The bug was initially introduced in 2011 and patched in 2016 in version 4.4.0-53.74, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled, two or more CPU cores, and SMAP must be disabled. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on Linux Mint 17.3 (x86_64); Lin
Unit42
CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
blogs_unit42·2020-10-10·CVSS 7.8
CVE-2020-14386 [HIGH] CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
## Executive Summary
Lately, I’ve been investing time into auditing packet sockets source code in the Linux kernel. This led me to the discovery of CVE-2020-14386, a memory corruption vulnerability in the Linux kernel. Such a vulnerability can be used to escalate privileges from an unprivileged user into the root user on a Linux system. In this blog, I will provide a technical walkthrough of the vulnerability, how it can be exploited and how Palo Alto Networks customers are protected.
A few years ago, several vulnerabilities were discovered in packet sockets (CVE-2017-7308 and CVE-2016-8655), and there are some publications, such as this one in the Project Zero blog and this in Openwall, which give some overview of the main functionality.
Specifically, in order for the vulnerability to
Unit42
CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
blogs_unit42·2020-10-10·CVSS 7.8
CVE-2020-14386 [HIGH] CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
Threat Research Center
Threat Research
Vulnerabilities
## CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
Or Cohen
Published: October 9, 2020
Threat Research
Vulnerabilities
CVE-2020-14386
Linux
Privilege escalation
## Executive Summary
Lately, I’ve been investing time into auditing packet sockets source code in the Linux kernel. This led me to the discovery of CVE-2020-14386 , a memory corruption vulnerability in the Linux kernel. Such a vulnerability can be used to escalate privileges from an unprivileged user into the root user on a Linux system. In this blog, I will provide a technical walkthrough of the vulnerability, how it can be exploited and how Palo Alto Networks customers are protected.
A few years ago, several vulnerabilities were discove
Trendmicro
Outlaw Updates: Kill Old Miner Versions, Target More
blogs_trendmicro·2020-02-10
Outlaw Updates: Kill Old Miner Versions, Target More
APT & Targeted Attacks
# Outlaw Updates: Kill Old Miner Versions, Target More
We observed an increase in hacking group Outlaw's activities in December, with updates on the kits’ capabilities reminiscent of their previous attacks.
By: Jindrich Karasek, Augusto Remillano II
2020/02/10
Read time: ( words)
Save to Folio
As we’ve observed with cybercriminal groups that aim to maximize profits for every campaign, silence doesn’t necessarily mean inactivity. It appears hacking group Outlaw, which has been silent for the past few months, was simply developing their toolkit for illicit income sources. While they have been quiet since our June analysis, we observed an increase in the group’s activities in December, with updates on the kits’ capabilities reminiscent of their previous attacks. T
arXiv
Shrinking the Kernel Attack Surface Through Static and Dynamic Syscall Limitation
arxiv_fulltext·2025-10-04
Shrinking the Kernel Attack Surface Through Static and Dynamic Syscall Limitation
Shrinking the Kernel Attack Surface Through Static and Dynamic Syscall Limitation
Dongyang Zhan*, Member, IEEE,
Zhaofeng Yu,
Xiangzhan Yu,
Hongli Zhang
and Lin Ye
D. Zhan, Z. Yu, X. Yu, H. Zhang and L. Ye are with the School of Cyberspace Science, Harbin Institute of Technology, Harbin,
Heilongjiang, 150001.
E-mail: \zhandy, 20S003135, yuxiangzhan, zhanghongli, hityelin\@hit.edu.cn
* Corresponding Author
## Abstract
Linux Seccomp is widely used by the program developers and the system maintainers to secure the operating systems, which can block unused syscalls for different applications and containers to shrink the attack surface of the operating systems. However, it is difficult to configure the whitelist of a container or application without the help of program developers. Docker con
arXiv
Threat Modeling and Security Analysis of Containers: A Survey
arxiv_fulltext·2021-11-22
Threat Modeling and Security Analysis of Containers: A Survey
Threat Modeling and Security Analysis of Containers: A Survey
Ann Yi Wong1 Eyasu Getahun Chekole1 Mart\'in Ochoa2 Jianying Zhou1
Singapore University of Technology and Design, Singapore 487372, Singapore
[email protected], \eyasu_chekole, jianying_zhou\@sutd.edu.sg
Department of Computer Science, ETH Zurich, 8092 Zurich, Switzerland
[email protected]
## Abstract
Traditionally, applications that are used in large and small enterprises were deployed on ``bare metal'' servers installed with operating systems. Recently, the use of multiple virtual machines (VMs) on the same physical server was adopted due to cost reduction and flexibility. Nowadays, containers have become popular for application deployment due to smaller footprints than the VMs, their ability to start
Bugzilla
CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free [fedora-all]
bugzilla·2016-12-06·CVSS 7.8
CVE-2016-8655 [HIGH] CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free [fedora-all]
CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple support
Bugzilla
CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free
bugzilla·2016-11-30·CVSS 7.8
CVE-2016-8655 [HIGH] CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free
CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free
A race condition vulnerability was found in packet_set_ring that can lead to use after free on a function pointer. This vulnerability can be used to gain kernel code execution for the local attacker capable of creating AF_PACKET sockets. This issue was introduced with following commit:
https://github.com/torvalds/linux/commit/f6fb8f100b807378fda19e83e5ac6828b638603a
Discussion:
Acknowledgments:
Name: Philip Pettersson
---
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1401820]
---
Public via:
http://seclists.org/oss-sec/2016/q4/607
---
Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c
---
Sta
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0chttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00044.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00054.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00055.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00056.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00070.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00073.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00076.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00077.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00087.htmlhttp://packetstormsecurity.com/files/140063/Linux-Kernel-4.4.0-AF_PACKET-Race-Condition-Privilege-Escalation.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0386.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0387.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0402.htmlhttp://www.openwall.com/lists/oss-security/2016/12/06/1http://www.securityfocus.com/bid/94692http://www.securitytracker.com/id/1037403http://www.securitytracker.com/id/1037968http://www.ubuntu.com/usn/USN-3149-1http://www.ubuntu.com/usn/USN-3149-2http://www.ubuntu.com/usn/USN-3150-1http://www.ubuntu.com/usn/USN-3150-2http://www.ubuntu.com/usn/USN-3151-1http://www.ubuntu.com/usn/USN-3151-2http://www.ubuntu.com/usn/USN-3151-3http://www.ubuntu.com/usn/USN-3151-4http://www.ubuntu.com/usn/USN-3152-1http://www.ubuntu.com/usn/USN-3152-2https://bugzilla.redhat.com/show_bug.cgi?id=1400019https://github.com/torvalds/linux/commit/84ac7260236a49c79eede91617700174c2c19b0chttps://source.android.com/security/bulletin/2017-03-01.htmlhttps://www.exploit-db.com/exploits/40871/https://www.exploit-db.com/exploits/44696/http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0chttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00044.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00054.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00055.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00056.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00070.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00073.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00076.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00077.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-12/msg00087.htmlhttp://packetstormsecurity.com/files/140063/Linux-Kernel-4.4.0-AF_PACKET-Race-Condition-Privilege-Escalation.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0386.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0387.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0402.htmlhttp://www.openwall.com/lists/oss-security/2016/12/06/1http://www.securityfocus.com/bid/94692http://www.securitytracker.com/id/1037403http://www.securitytracker.com/id/1037968http://www.ubuntu.com/usn/USN-3149-1http://www.ubuntu.com/usn/USN-3149-2http://www.ubuntu.com/usn/USN-3150-1http://www.ubuntu.com/usn/USN-3150-2http://www.ubuntu.com/usn/USN-3151-1http://www.ubuntu.com/usn/USN-3151-2http://www.ubuntu.com/usn/USN-3151-3http://www.ubuntu.com/usn/USN-3151-4http://www.ubuntu.com/usn/USN-3152-1http://www.ubuntu.com/usn/USN-3152-2https://bugzilla.redhat.com/show_bug.cgi?id=1400019https://github.com/torvalds/linux/commit/84ac7260236a49c79eede91617700174c2c19b0chttps://source.android.com/security/bulletin/2017-03-01.htmlhttps://www.exploit-db.com/exploits/40871/https://www.exploit-db.com/exploits/44696/
2016-12-08
Published