Multiple integer overflows leading to heap corruption flaws were discovered in file2strvec(). These vulnerabilities can lead to privilege escalation for a local attacker who can create entries in procfs by starting processes, which will lead to crashes or arbitrary code execution in proc utilities run by other users (eg pgrep, pkill, pidof, w).
Find out more about CVE-2018-1124 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS3 Base Score | 7.3 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Attack Vector | Local |
Attack Complexity | Low |
Privileges Required | Low |
User Interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | High |
Platform | Errata | Release Date |
---|---|---|
Red Hat Enterprise Linux Server TUS (v. 6.6) (procps) | RHSA-2018:2268 | 2018-07-26 |
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts | RHSA-2018:1820 | 2018-06-11 |
Red Hat Enterprise Linux Advanced Update Support 6.6 (procps) | RHSA-2018:2268 | 2018-07-26 |
Red Hat Enterprise Linux 7 (procps-ng) | RHSA-2018:1700 | 2018-05-23 |
Red Hat Enterprise Linux Extended Update Support 6.7 (procps) | RHSA-2018:2267 | 2018-07-26 |
Red Hat Enterprise Linux 6 (procps) | RHSA-2018:1777 | 2018-05-31 |
Platform | Package | State |
---|---|---|
Red Hat Enterprise Linux 5 | procps | Will not fix |