Uma nova vulnerabilidade do kernel Linux identificado como CVE-2018-14619 foi descoberto pela Red Hat Engenharia pesquisadores Florian Weimer e Ondrej Mosnacek. Mais particularmente, A falha foi encontrada no subsistema de criptografia do kernel Linux.
CVE-2018-14619 Technical Details
The flaw could grant a local user the right to crash the machine and to cause corrupt memory leading to privilege escalation.
o “null skcipher” was being dropped in the wrong place – when each af_alg_ctx was freed instead of when the aead_tfm was freed. This can cause the null skcipher to be freed while it is still in use, os pesquisadores explicaram.
The CVE-2018-14619 vulnerability is located in Linux Kernel up to 4.15-rc3 and it’s been classified as critical. A function of the component Crypto Subsystem has been affected, and as a result of it, a memory corruption vulnerability appears. The result of an exploit could lead to an impact on confidentiality, intergrity, and availability, pesquisadores dizer.
It appears that the vulnerability was shared on 08/30/2018 in the form of a bug report on Bugzilla bugzilla.redhat.com. It should be noted that for CVE-2018-14619 to be triggered, local access is required, with a single authentication needed for exploitation. The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment, Bugzilla researchers reported.
To mitigate the CVE-2018-14619 vulnerability, upgrading to version 4.15-rc4 is needed. Once the update in applied, the vulnerability is eliminated.