CVE-2019-19241

Published: Dic 17, 2019 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2019-8867 Aliases: GSD-2019-19241
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,8
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
MEDIUM 4,6
Source: [email protected]
Access Vector: local
Access Complexity: low
Authentication: none
Confidentiality: partial
Integrity: partial
Availability: partial

Description

AI Translation Available

In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0094
Percentile
0,8th
Updated

EPSS Score Trend (Last 91 Days)

Exploit

Linux 5.3 - Privilege Escalation via io_uring Offload …

Verified Local

Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds

Author: Google Security Research Published: Status: Verified
View Exploit Code →
Operating System

Linux Kernel by Linux

Product Information
Vendor Linux
Product Linux Kernel
Version Range Affected
To 5.4.2 (exclusive)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://bugs.chromium.org/p/project-zero/issues/detail?id=1…
Mailing List Third Party Advisory
https://bugs.chromium.org/p/project-zero/issues/detail?id=1975
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.2
Mailing List Vendor Advisory
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.2
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/li…
Patch Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1…
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/li…
Patch Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d…
https://security.netapp.com/advisory/ntap-20200103-0001/
https://security.netapp.com/advisory/ntap-20200103-0001/
https://usn.ubuntu.com/4284-1/
https://usn.ubuntu.com/4284-1/
https://bugs.chromium.org/p/project-zero/issues/detail?id=1…
Mailing List Third Party Advisory
https://bugs.chromium.org/p/project-zero/issues/detail?id=1975
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.2
Mailing List Vendor Advisory
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.2
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/li…
Patch Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1…
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/li…
Patch Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d…
https://security.netapp.com/advisory/ntap-20200103-0001/
https://security.netapp.com/advisory/ntap-20200103-0001/
https://usn.ubuntu.com/4284-1/
https://usn.ubuntu.com/4284-1/