CVE-2014-9717 : fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH umount2 system calls without verifying that the MNT

fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace.

Published 2016-05-02 10:59:07

Updated 2016-08-12 01:59:05

Source MITRE

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2014-9717

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-9717

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.6	LOW	AV:L/AC:L/Au:N/C:P/I:P/A:N	3.9	4.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N	1.8	4.2	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: High Availability: None

CWE ids for CVE-2014-9717

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-9717

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00056.html

[security-announce] SUSE-SU-2016:1696-1: important: Security update for

CVEs referencing this url
http://www.spinics.net/lists/linux-containers/msg30786.html

Linux Containers: [PATCH review 0/19] Locked mount and loopback mount fixes
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1

kernel/git/torvalds/linux.git - Linux kernel source tree
Vendor Advisory
http://www.openwall.com/lists/oss-security/2015/04/17/4

oss-security - USERNS allows circumventing MNT_LOCKED
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html

[security-announce] SUSE-SU-2016:1690-1: important: Security update for

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html

[security-announce] SUSE-SU-2016:1937-1: important: Security update for

CVEs referencing this url
https://groups.google.com/forum/message/raw?msg=linux.kernel/HnegnbXk0Vs/RClojwJzAFEJ
https://github.com/torvalds/linux/commit/ce07d891a0891d3c0d0c2d73d577490486b809e1

mnt: Honor MNT_LOCKED when detaching mounts · torvalds/linux@ce07d89 · GitHub
Vendor Advisory
http://www.securityfocus.com/bid/74226

Linux Kernel CVE-2014-9717 Local Privilege Escalation Vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1226751

1226751 – (CVE-2014-9717) CVE-2014-9717 kernel: unsharing MNT_LOCKED mount can expose files beneath the mount.
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.0.2

CVEs referencing this url

Products affected by CVE-2014-9717

Linux » Linux Kernel
Versions up to, including, (<=) 4.0.1
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2014-9717

Exploit prediction scoring system (EPSS) score for CVE-2014-9717

CVSS scores for CVE-2014-9717

CWE ids for CVE-2014-9717

References for CVE-2014-9717

Products affected by CVE-2014-9717